SecureKomodo - hacker of thingshttps://www.securekomodo.net:443/index.xml
Recent content on SecureKomodo - hacker of thingsHugo -- gohugo.ioen-usWed, 12 Oct 2016 00:00:00 +0000GrrCon 2016 OSINT CTFhttps://www.securekomodo.net/post/2016/grrcon-2016-osint-ctf/
Wed, 12 Oct 2016 00:00:00 +0000https://www.securekomodo.net/post/2016/grrcon-2016-osint-ctf/
<p>Aside from the great speakers and free beer, one of my favorite things about GrrCon is that everything is so hands-on and interactive for all types of skill levels. I got to pick various locks, try and pwn some IoT light bulbs, and even compete in CG Silvers Open Source Intelligence (OSINT) capture the flag competition our team &ldquo;ramrod&rdquo; took 1st place!!!</p>
<h3 id="the-contest">The Contest</h3>
<p>2 real human targets.</p>
<ul>
<li><p>No paid search services can be used. All teams must be able to provide a URL for each flag submission upon requestion. We will spot check the winning teams and disqualify any source URLs that cannot be verified without requiring authentication beyond a generic LinkedIn, Spokeo, Twitter, Jigsaw, Flickr, Pastebin, shodan, or Facebook account that has no connection with any of the targets.</p></li>
<li><p>Teams are not allowed to call, email, or elicit information from the targets in ANY way.</p></li>
<li><p>C G Silvers Consulting reserves the right to disqualify any team that uses unethical means or disregards the intent of the contest.</p></li>
<li><p>You get two guesses per challenge. Format does matter. Please read carefully and take note of the format for each flag.</p></li>
<li><p>At least one member of each team must be present at the awards presentation to win.</p></li>
</ul>
<p>Our job was to use any open source of information to find out and answer questions about our targets with questions varying in complexity and points.</p>
<h3 id="the-ramrod-approach">The &ldquo;ramrod&rdquo; approach</h3>
<p>Our team decided to knock out as much low hanging fruit questions as possible. Most of the information here was obtained just from meticulously going through Facebook profiles for all posts/comments/tags of the targets. This approach was apparently used by every other team because we were sitting somewhere in 10th place at this time.</p>
<p>Once we started to build profiles of our targets and documenting their relevant info, we started to connect the dots with the questions and really gained momentum in the leaderboard. Some answers we submitted and others we wanted to hold off on until we could validate its authenticity. Remember only 2 guesses are allowed so it was crucial to only submit when we are confident with the result. We were hovering around 3rd and 4th place with only about an hour left in the competition.</p>
<p>With only 15 or so minutes left in the competition, we had built an archive of answers that we were about 90% sure were correct. So everyone started to submit the final answers we had and turned out they were all true results. Knocking out some of the high value questions launched us into 1st place and we ended up taking 1st by only 10 points!</p>
<h3 id="final-thoughts">Final Thoughts</h3>
<p>This OSINT CTF was such a good learning opportunity. Its not &ldquo;hacking&rdquo; in a traditional sense of the word, but more of a thinking-outside-the-box approach. Being able to take only fragments of information about a target and enumerating an entire profile of them is truly a valuable skill in infosec.</p>
<p>With our hard work we won the top prizes!</p>
<ul>
<li>GrrCon Black Badge</li>
<li>Drone</li>
<li>Hak5 Pinapple Tetra</li>
</ul>
<p>Had an amazing time and cant wait until next year!</p>
<p>Go team ramrod!!!</p>
Reconnaissance and Footprintinghttps://www.securekomodo.net/reconnaissance-and-footprinting/
Mon, 24 Aug 2015 06:27:18 +0000https://www.securekomodo.net/reconnaissance-and-footprinting/
<h1 id="reconnaissance-and-footprinting">Reconnaissance and Footprinting</h1>
<p>&nbsp;</p>
<p>Reconnaissance and footprinting is the primary phase of the ethical hacking process. Although this phase does not constitute breaking into a network or system, it is still fun and quite possibly the most important. I will discuss some of the tools and techniques I use for actively and passively footprinting a target during the reconnaissance phase of a penetration test. Of course, this will be very top level and not inclusive of all the techniques used to recon and footprint a target.</p>
<h5 id="tip-8211-according-to-ec-council-footprinting-is-a-part-of-recon"><em>Tip &#8211; According to EC Council, footprinting is a part of recon.</em></h5>
<p>During recon, it is important to learn as much about your target as possible. The more you know about your target, the better prepared you can be when you engage in your attack. It is imperative that you begin to research and understand the security posture of the target. Doing so will allow you to reduce your attack surface and have a more focused attack with a better success rate. It may help to start building an information database containing possible strengths and weaknesses of your target along with a network map. Again, the more detail oriented you are, typically the more success you will have during the later stages of the ethical hack. I found that starting with search engines/websites is a good first step so I will start with that.</p>
<p>&nbsp;</p>
<p><strong>Search Engines, Websites, Google Hacking</strong></p>
<p>Now I am not just talking about some simple google searches, there are so many engines for various types of content that can really help your recon. Google earth can search the location of any address and often give you street view access to your target. This aids in any social engineering attack or wireless access point attacks. With a map of the physical property, I now can see where your trash is stored, where people enter and exit, and possibly see any security cameras. People searches are pretty easy now as most people feel the need to share and post every aspect about their lives to the world. Again this will assist with social engineering as you build a profile against your targets personality and relationships. I do not think I need to provide any examples of widely known social media sites&#8230; Job sites websites liked LinkedIn or monster can be some of the most important sources of information. You would not believe the type of information can be obtained about an organizations infrastructure, simply by reviewing the required skills on some of their job postings. While writing this up I did some quick browsing to find a &#8220;Lead Security Engineer&#8221; position in healthcare industry posted 3 days ago.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/09/Capture.png"><img class="alignnone wp-image-1568 size-full" src="http://securekomodo.net/wp-content/uploads/2015/09/Capture.png" alt="" width="663" height="298" /></a></p>
<p>Just by reading their job posting I can see they are mostly windows systems behind some Cisco and Checkpoint firewalls. They also monitor the network using Snort and scan for vulnerabilities using Nessus. That is some pretty good stuff to know when I am going to be trying to bypass and evade those products!</p>
<p>&nbsp;</p>
<p>Another technique is to use your search operators and advanced search capabilities of google, and other sites&#8230;aka google hacking There are many sites that have pre-baked search queries to find specific vulnerable websites or unique products. Take use of them and set up alerts if any show up within the public domain of your target organization. One of the most up to date databases of these queries is the google hacking database found at <a href="https://www.exploit-db.com/google-hacking-database/">https://www.exploit-db.com/google-hacking-database/</a>. While browsing over some of the example searches I could see one that allowed me to search for UPS tracking and shipping notifications. With the delivery and time information I could man-in-the-middle, compromising the integrity of any package they receive.</p>
<p><strong>Google search:</strong> <a class="external" href="http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Aups.com+intitle%3A%22Ups+Package+tracking%22+intext%3A%221Z+%23%23%23+%23%23%23+%23%23+%23%23%23%23+%23%23%23+%23%22&btnG=Search" target="_blank" rel="nofollow">site:ups.com intitle:&#8221;Ups Package tracking&#8221; intext:&#8221;1Z ### ### ## #### ### #&#8221;</a></p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/09/2cc68b7c1ba0a12bb8bc3438ecfea4d118bdefa65989dfa74825af5f85919739.jpg"><img class="alignnone wp-image-1567 size-full" src="http://securekomodo.net/wp-content/uploads/2015/09/2cc68b7c1ba0a12bb8bc3438ecfea4d118bdefa65989dfa74825af5f85919739.jpg" alt="" width="500" height="298" /></a></p>
<p>&nbsp;</p>
<p><strong>Email, WHOIS</strong></p>
<p>Email to this day is still one of the most widely used form of communication. Knowing how to track where an email has been or if it has been viewed can be very helpful. I am not going to re-discuss how to view an email header since it was a blog topic of mine previously. If you want more in-depth description on the breakdown of an email header, I encourage you to take a look at my previous post which is an introductory examination into email forensics: <a href="http://securekomodo.net/introduction-to-the-forensic-examination-of-e-mail/" target="_blank"><a href="http://securekomodo.net/introduction-to-the-forensic-examination-of-e-mail/">http://securekomodo.net/introduction-to-the-forensic-examination-of-e-mail/</a></a>.</p>
<p>WHOIS however is a skill I continue to use and improve on. In case you do not know what WHOIS information is, in short, WHOIS databases contain personal contact information of the domain owners. Knowing who manages the domain, what domains are registered to that owner, and their IP address ranges are some of the most critical pieces of information you can retrieve. Especially if you are performing a black-box pentest. More and more tools and resources are becoming available that take standard WHOIS queries, and expand on them by providing histories of that domains ownership, geolocatin of IPs and more. I like to use netcraft.com because it provides information about the server, registrar, domain history and more. Take a look at this query and see what type of information you can find out about kittenwar.com!</p>
<h1 id="toc_2">😼 +💣 =💥</h1>
<p><a href="http://toolbar.netcraft.com/site_report?url=http://www.kittenwar.com">http://toolbar.netcraft.com/site_report?url=http://www.kittenwar.com</a></p>
<p>&nbsp;</p>
<p><strong>Footprinting through Social Engineering</strong></p>
<p>Really, social engineering is a topic in itself and I plan to go into detail about it in later posts. For now though, I am just going to touch on a few key take-aways from this attack vector and focus on its use during footprinting. Social Engineering is the art of convincing people to reveal sensitive information. It is based solely on the presumption that most people remain unaware of their valuable information, and do not take precaution in protecting it. EC Council has three terms that are supposed to be showing up on the test so I will define them below</p>
<ul>
<li><strong>Eavesdropping</strong> &#8211; Unauthorized listening of conversations or reading of messages</li>
<li><strong>Shoulder Surfing</strong> &#8211; Attacker looks over someones shoulder to gain information</li>
<li><strong>Dumpster Diving</strong> &#8211; Looking for treasure in someones trash.</li>
</ul>
<p>I find social engineering to be one of the most fun aspects while collecting information because you get to troll people for sensitive info without them knowing. You can use jedi mind tricks to convince another person to tell you their passwords, social security numbers, financial info, or more&#8230; Though of course you should only be doing this for ethical purposes, don&#8217;t be a jerk! The synopsis is that you are exploiting human-error, which is the biggest vulnerability in security today. There are even entire tool-kits that can help automate social engineering attack scenarios, and increase your success rates at retrieving information. I encourage you to play with the Social Engineering Toolkit (SET) made by @hackingdave of TrustedSec. <a href="https://www.trustedsec.com/social-engineer-toolkit/" target="_blank"><a href="https://www.trustedsec.com/social-engineer-toolkit/">https://www.trustedsec.com/social-engineer-toolkit/</a></a>.</p>
<p>Just look at what important information can be obtained by looking in windows of local businesses.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/09/dc42e7dd31c3a31a038b8854fc375fb7ec07034501e2470448b35fd9921a5da9.jpg"><img class="alignnone wp-image-1570 size-full" src="http://securekomodo.net/wp-content/uploads/2015/09/dc42e7dd31c3a31a038b8854fc375fb7ec07034501e2470448b35fd9921a5da9.jpg" alt="" width="398" height="597" /></a></p>
<p>&nbsp;</p>
<p>Well, its late and this should be it for the Reconnaissance and Footprinting module of my CEH studying. I took the end of chapter quiz and scored a 100%. Pretty basic stuff so far. Next week I will get into some Network Scanning which I plan on having a video demo using my own PowerShell tool 🙂</p>
<p>&nbsp;</p>
<p>Thanks for reading!</p>
Hacking and Penetration Testinghttps://www.securekomodo.net/hacking-and-penetration-testing/
Thu, 16 Jul 2015 08:00:18 +0000https://www.securekomodo.net/hacking-and-penetration-testing/
<h2 id="hacking-and-penetration-testing">Hacking and Penetration Testing</h2>
<h3 id="certified-ethical-hacker-ceh">Certified Ethical Hacker (CEH)</h3>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/07/chalkboard.jpg"><img class="alignnone wp-image-1381 size-full" src="http://securekomodo.net/wp-content/uploads/2015/07/chalkboard.jpg" alt="Hacking and Penetration Testing Header" width="1170" height="216" /></a></p>
<p>It is time to get back to the basics of hacking. It&#8217;s tough to be a in a security position and admit that you don&#8217;t know EVERYTHING about security and penetration testing. The sooner this notion is accepted, the sooner new concepts can be learned, and old concepts can be further stored into long-term memory. Most of what will be described in this post is simply review since technically this should already be known prior to starting a CEH training program, but I know I can gain a better understanding and strengthen core concepts by touching on a few important topics. This post will provide definitions associated with ethical hacking and security policies, as well as provide a clear explanation about introductory networking, hacking phases, and stages of a penetration test. That being said, let&#8217;s start with the ever famous OSI Model<strong>.</strong> This is something that is taught to all undergraduates in any basic networking or security course. Many have memorized the names to the layers and their order, but do not understand why or how they work. Lets review&#8230;</p>
<p>&nbsp;</p>
<p><strong><span style="text-decoration: underline;">The OSI model</span></strong></p>
<p>In order for two computers to communicate with each other, there must be some interface which will send/receive &#8220;<em>bits</em>&#8220;, this is your Network Interface Controller &#8220;NIC&#8221;. This is where Layer 1 comes into play. <strong>Layer 1 (Physical)</strong> is the physical media required to send/receive the binary (ones and zeros) transmissions between hosts. Now what happens when a new host(s) is added to your network? How will you know who to send binary information to, or where it is coming from? This is where Layer 2 comes into play.</p>
<p><strong>Layer 2 (Data Link)</strong> will use a physical addressing scheme to identify hosts within a network. Using whats known as &#8220;<em>Frames</em>&#8220;, it will include addressing for the intended sender/recipient <span style="text-decoration: underline;">within a network</span>. I like to think of this as a street address on a mailing envelope. But what if this data needs to be sent to another network <span style="text-decoration: underline;">outside</span> of yours? The mailing envelope at some point will need to leave your neighborhood, state, or even your country! And it is not feasible to think that every computer can know the physical address of all computers in the world&#8230;</p>
<p>Well <strong>Layer 3 (Network)</strong> provides another method of addressing using &#8220;<em>Packets</em>&#8220;. Packets contain logical addressing and routing information (source and destination IP Addresses) about the neighborhood its intended for. Think of this like the ZIP code on our envelope example.</p>
<p><strong>Layer 4 (Transport)</strong> contains information about how data will be sent. Remember the last 4 letters of the word transPORT since this is the layer is where port assignments take place. Using whats known as &#8220;<em>Segments</em>&#8220;, layer 4 will provide the protocols defining the way information will be sent between the source and destination hosts. The most common transport protocols would be TCP and UDP. Where TCP guarantees delivery, and UDP is more of a &#8220;fire-and-forget&#8221; methodology. I like to think of this layer as the type of mail service you want for your envelope. Do you want ground shipping with signature upon delivery? Maybe you want next-day air with no confirmation?? The next layer was the most difficult for me to comprehend and can be the most confusing.</p>
<p><strong>Layer 5 (Session)</strong> is more of a theoretical layer put in place to handle (you guessed it), sessions. Its only job is to open, close, and manage connections &#8220;sockets&#8221; between one or more hosts. It is required to have an active session to deliver data. Some sessions can remain open for long durations and multiple deliveries of data, where others may only be open for a single transmission. If you open a command prompt and type &#8220;netstat&#8221; you will see a list of all connections and their statuses from your computer.</p>
<p><strong>Layer 6 (Presentation)</strong> is responsible for molding the data into a format that applications can understand. Since not every computer contains the same applications, there has to be standards to ensure successful delivery and interpretation of the data. Some examples of these standard formats could be ASCII, JPEG, GIF..etc. I like to think of layer 6 as the translator to the application layer.</p>
<p>Lastly there is <strong>Layer 7 (Application)</strong> and could be considered the &#8220;closest&#8221; layer to the user. This is the software which is required to view the data into a human-readable format. Applications such as an internet browser will use protocols like HTTP or HTTPS to view web pages, and FTP will allow users to transport files across networks.</p>
<p>In the last three layers of the OSI model, the protocol data unit is referred to as &#8220;<em>data</em>&#8220;. Take a look at this sweet figure I made below which nicely displays the OSI model, the TCP/IP model, and their associated ports and services.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/07/OSI-Reference-Model.png"><img class="alignnone size-full wp-image-1376" src="http://securekomodo.net/wp-content/uploads/2015/07/OSI-Reference-Model.png" alt="OSI Reference Model" width="1151" height="632" /></a></p>
<p>So remember that frames contain packets, packets contain segments, and segments contain data. Lets take a look at some common definitions that will be good for a few easy answers on the exam.</p>
<dl>
<dt>White Hat</dt>
<dd>Hired security professionals who perform penetration tests on information systems</dd>
<dt>Black Hat</dt>
<dd>A criminal hacker &#8220;cracker&#8221; who is using their skills for malicious intent</dd>
<dt>Gray Hat</dt>
<dd>Curious hackers who are neither good or bad, but demonstrate flaws in information systems with or without consent</dd>
<dt>Information Security Policy</dt>
<dd>Clearly identifies the rules and regulations for an organizations computer assets along with the punishment for non-compliance. Also referred to as an &#8220;Acceptable Use Policy&#8221;, employees normally sign off to acknowledge their understanding.</dd>
<dt>Information Protection Policy</dt>
<dd>Defines the sensitivity levels of data and who has access to those levels. In addition it will define how information is stored, transmitted, and purged.</dd>
<dt>Information Audit Policy</dt>
<dd>Defines the rules and guidelines for auditing security within an organization.</dd>
<dt>Operating System (OS) Attack</dt>
<dd>This is an attack that takes advantage of a vulnerable operating system installed on a computer.</dd>
<dt>Application Level Attack</dt>
<dd>This attacks the vulnerable programming code of a given application.</dd>
<dt>Shrink Wrap Code Attack</dt>
<dd>Takes place when an attack is based around a script or code provided by &#8220;off-the-shelf&#8221; software.</dd>
<dt>Misconfiguration Attack</dt>
<dd>Exploit takes place on systems that have intentionally or unintentionally not been properly configured</dd>
</dl>
<p>The CEH exam does not focus on too many definition questions, but I guess they are still found. So memorizing some terms and common attacks could surely be some easy points when test day comes.</p>
<p>Last but not least I want to talk about the 5 hacking stages and the 3 steps of a penetration test. All sources agree that there will be many questions referencing the various stages so I will just list them out here.</p>
<p>Stage 1 &#8211; Reconnaissance</p>
<p>Stage 2 &#8211; Scanning and Enumeration</p>
<p><span style="color: #999999;"><em>Stage 2.5 &#8212;&#8211; Privilege Escalation</em></span></p>
<p>Stage 3 &#8211; Gaining Access</p>
<p>Stage 4 &#8211; Maintaining Access</p>
<p>Stage 5 &#8211; Covering Tracks</p>
<p>During <strong>Reconnaissance</strong>, an ethical hacker will be gathering information (passively or actively) about a given target. This could mean parking outside an office and observing the habits of employees as they arrive to work. Or it could be looking up domain information and declared network ranges or network sniffing. During the <strong>Scanning and Enumeration</strong> phase, an ethical hacker will use tools and techniques to get in-depth knowledge about the target. This could mean scanning to identify the types of computers on the network and which are vulnerable to attack. Or even just checking to see if a port is open on a given host. Next that leads us into the most fun stage, <strong>Gaining Access</strong>. This is where a vulnerable system is exploited and security controls are circumvented in order to gain access to a host. Or it could be as simple as connecting to an open WI-fi and poking around its configurations. After access is achieved, you are going to want to keep it. The next step called <strong>Maintaining Access</strong> is where backdoors are put in place to ensure there is a way to connect back to the exploited host, even if it is rebooted. This is also referred to as persistence. And last but not least is <strong>Covering Tracks</strong>. After you just did all that work it would be a shame to have a forensics expert derail your whole pentest because of some logs! So this is where you take extra measures to not leave a trace behind while you do your business on the system.</p>
<p>Now there are only 3 stages of a penetration test, and be sure not to confuse this with the 5 hacking stages.</p>
<p><strong>Stage 1 &#8211; Preparation</strong></p>
<p style="padding-left: 30px;">
This is where the contract is signed, outlining the framework of the penetration test. This is really what sets the ethical apart from the unethical
</p>
<p><strong>Stage 2 &#8211; Assessment</strong></p>
<p style="padding-left: 30px;">
During the Assessment phase, the actual penetration test is underway and the ethical hacker will use the 5 hacking stages to conduct his/her assessment.
</p>
<p><strong>Stage 3 &#8211; Conclusion</strong></p>
<p style="padding-left: 30px;">
Lastly the conclusion will report all the findings of the assessment and often times even providing recommendations on how to fix.
</p>
<p>&nbsp;</p>
<p>That was really it for the first module, you can see most of it is review and not fun material. The rest of my posts will be focusing on phase 3 of the hacking phases which is gaining access. They will go into detail about the various tools and techniques used to perform all types of attacks so stay tuned for more content!</p>
<p>&nbsp;</p>
<p>If you would like to learn more about the CEH, please visit <a href="http://www.eccouncil.org/Certification/certified-ethical-hacker" target="_blank"><a href="http://www.eccouncil.org/Certification/certified-ethical-hacker">http://www.eccouncil.org/Certification/certified-ethical-hacker</a></a></p>
<p>&nbsp;</p>
Paving the road to certifiably hacking “ethically”https://www.securekomodo.net/paving-the-road-to-certifiably-hacking-ethically/
Thu, 09 Jul 2015 05:14:32 +0000https://www.securekomodo.net/paving-the-road-to-certifiably-hacking-ethically/
<h2 id="becoming-a-certified-ethical-hacker">Becoming a Certified Ethical Hacker</h2>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/07/Screen-Shot-2015-07-09-at-1.11.26-AM.png"><img class="alignnone size-full wp-image-1345" src="http://securekomodo.net/wp-content/uploads/2015/07/Screen-Shot-2015-07-09-at-1.11.26-AM.png" alt="Road" width="1190" height="238" /></a>Lately I have been having thoughts of studying for my first infosec industry certification. Being that it is now July 2015 and we are in the middle of the security &#8220;conference season&#8221;, I find that I am missing a few acronyms on my business card when I attempt to network with others in the field. With so many people I meet possessing recognizable and respected certifications such as CISSP, Security+, CASP, or CEH&#8230; it is tough to stand out on paper among the hordes of &#8220;industry certified&#8221; security professionals.</p>
<p>&nbsp;</p>
<p>Certifications are sort of like profiling, without one you seem entry-level, someone who is just getting their feet wet. Of course any good manager would know that that is simply not true. If one does not have a certification, it does not mean they do not possess the skills needed to be successful. And similarly just because someone has completed a certification does not mean they have the expertise needed to perform well at a high paying job. I graduated with a Bachelor Degree in Information Security back in April 2014, and landed a nice career in infosec soon after. With the on-the-job knowledge I accrue on a daily basis, I do not believe any certification can truly match up with this type of &#8220;real world&#8221; experience. Yet still I have some void within me. A continuous whisper in my mind telling me to stop putting this on the back burner and get going on furthering my education. If an acronym is what is needed to prequalify for respect and trust because people simply do not have the time to test what they are looking for, then so be it! I choose CEH.</p>
<h3 id="ec-council-certified-ethical-hacker-ceh">EC Council Certified Ethical Hacker (CEH)</h3>
<p>I decided to pursue a CEH because I feel it aligns most with my current knowledge and training, while still providing enough value and content to make me a better security professional. The exam itself is:</p>
<ul>
<li>125 questions</li>
<li>70% passing score</li>
<li>Multiple choice</li>
</ul>
<p>The current version of the exam is 312-50 which will cover <strong>19</strong> domains:</p>
<ul>
<li>Introduction to Ethical Hacking</li>
<li>Footprinting and Reconnaissance</li>
<li>Scanning Networks</li>
<li>Enumeration</li>
<li>System Hacking</li>
<li>Trojans and Backdoors</li>
<li>Viruses and Worms</li>
<li>Sniffers</li>
<li>Social Engineering</li>
<li>Denial of Service</li>
<li>Session Hijacking</li>
<li>Hacking Webservers</li>
<li>Hacking Web Applications</li>
<li>SQL Injection</li>
<li>Hacking Wireless Networks</li>
<li>Evading IDS, Firewalls, and Honeypots</li>
<li>Buffer Overflow</li>
<li>Cryptography</li>
<li>Penetration Testing</li>
</ul>
<p>My plan will be to cover one domain/week and provide useful examples on the material in the form of a blog post every week. This will help me retain all the information I am learning, and also serve as a knowledge base for my studying.</p>
<p>&nbsp;</p>
<p>I hope you will enjoy the new content on my blog, and at this rate I should be certified sometime in November. Wish me luck!!!!</p>
2014 SANS Holiday Hacking Carolhttps://www.securekomodo.net/2014-sans-holiday-challenge-a-christmas-hacking-carol/
Wed, 07 Jan 2015 00:08:55 +0000https://www.securekomodo.net/2014-sans-holiday-challenge-a-christmas-hacking-carol/
<h2 id="2014-sans-holiday-hacking-carol-challenge">2014 SANS Holiday Hacking Carol Challenge</h2>
<p>Every year, the SANS institute hosts a holiday hacking challenge open to any and all that want to participate. This year I decided to hop on board after @n3tl0kr from our #MISEC crew sent out the following tweet:</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/n3tl0kr.png"><img class="alignnone wp-image-1196 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/n3tl0kr.png" alt="2014 SANS Holiday Hacking Carol" width="596" height="103" /></a></p>
<p>So I decided that with my time off work, and no classes to keep me occupied I should try and keep my skills sharp and see how far I could get. After reading the entire story (<a title="http://pen-testing.sans.org/holiday-challenge/2014?utm_medium=Social&utm_source=Twitter&utm_content=2014_Holiday_Hack_Challenge_Twitter&utm_campaign=2014_Holiday_Hack_Challenge" href="http://pen-testing.sans.org/holiday-challenge/2014?utm_medium=Social&utm_source=Twitter&utm_content=2014_Holiday_Hack_Challenge_Twitter&utm_campaign=2014_Holiday_Hack_Challenge" target="_blank"><a href="http://pen-testing.sans.org/holiday-challenge/2014?utm_medium=Social&amp;utm_source=Twitter&amp;utm_content=2014_Holiday_Hack_Challenge_Twitter&amp;utm_campaign=2014_Holiday_Hack_Challenge">http://pen-testing.sans.org/holiday-challenge/2014?utm_medium=Social&amp;utm_source=Twitter&amp;utm_content=2014_Holiday_Hack_Challenge_Twitter&amp;utm_campaign=2014_Holiday_Hack_Challenge</a></a>) and Ed Skoudis note:</p>
<blockquote>
<p>In this year&#8217;s challenge, you&#8217;ll get to match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present, and Future to save old Ebenezer Scrooge from certain doom.</p>
</blockquote>
<p>I was hooked&#8230;</p>
<p>&nbsp;</p>
<p><strong>The Task</strong></p>
<p>Scrooge has been transformed by the secrets revealed by the visiting specters. But how? Analyze the evidence provided in our tale, and answer the following questions:</p>
<ol>
<li>What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?</li>
<li>What two secrets did the Ghost of Hacking Present deposit on the <a href="http://www.scrooge-and-marley.com">http://www.scrooge-and-marley.com</a> website? You have permission to attack that website (TCP port 80 and 443 only) with the goal of retrieving those secrets, but please do not attempt any denial of service attacks or performance hogging attacks on that machine.</li>
<li>What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?</li>
</ol>
<p>&nbsp;</p>
<h2 id="question-1-what-secret-did-the-ghost-of-hacking-past-include-on-the-system-at-173-255-233-59"><strong>Question 1: What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?</strong></h2>
<p>Because the ghost of Mr. Alan Turing was so generous to provide a target IP address, I was able to dive right into the scanning phase of my ethical hacking process. I needed to figure out if an active machine lived at this address or not.</p>
<p>I first decided to PING the target 173.255.233.59 which was successful.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/ping.png"><img class="alignnone wp-image-1197 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/ping.png" alt="2014 SANS Holiday Hacking Carol - Ping" width="398" height="125" /></a></p>
<p>I noticed the Time to Live (TTL) value was 52 which initially suggested that I was dealing with some type of a Linux/Unix kernel around ~12 networks away (TTL value for Linux is 64 and value is reduced at each hop).</p>
<p>At this point I wanted to proceed to port scanning which I unfortunately spent a significant amount of time searching through a dead end. The scan results had only shown that port 22 (SSH) was open. Banner info and thumbprint info proved to be useless at this point so I started to adjust my scanning parameters of NMAP. Scanning the target with a stealthy SYN scan on all ports which ended finding some high port (31124) that was open</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/nmap1.png"><img class="alignnone wp-image-1200 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/nmap1.png" alt="2014 SANS Holiday Hacking Carol - NMAP" width="975" height="491" /></a></p>
<p>&nbsp;</p>
<p>I don’t know what runs on this port so I did want any curious hacker would do and used TELNET to connect (what’s the worst that can happen?). And this, is where I met dearest ELIZA.</p>
<p>I did some research I was able to find out that ELIZA was a computer program created to pass Allan Turing’s “Turing Test”. ELIZA was supposed to provide human like answers to questions by parsing user input and keywords and giving canned responses. But what secrets did she possess? I spent a good while getting to know ELIZA, asking questions, looking at responses, and after going back to the story, I saw some hints.</p>
<blockquote>
<p>Feel free to connect with her, surf the Internet together, and see if you can discover her secret.&#8221;</p>
</blockquote>
<p>After countless commands without getting anything back I was able to get a response that was different. I typed</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]browse <a href="http://www.google.com[/sourcecode">http://www.google.com[/sourcecode</a>]</p>
<p>and was given the HTML page title saying “does this look accurate?” I tried multiple times with various websites and continued to get the same type of console response back which was not helpful. But what was happening on the server side? What type of request was being sent and relayed back to me in ELIZAs console output? Luckily I have a web server (the one your reading!) that is publicly accessible and I asked ELIZA to browse to it.</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]browse <a href="http://securekomodo.net[/sourcecode">http://securekomodo.net[/sourcecode</a>]</p>
<p>I immediately went to the log files to see if I could search for her IP of 173.255.233.59 and what do you know! I see her HTTP GET request with the secret 🙂</p>
<p><em><strong><span style="color: #ff6600;">Eliza Secret: ”Machines take me by surprise with great frequency. –Alan Turing”</span></strong></em></p>
<p>^ cool!</p>
<p>This secret was exactly what scrooge needed to see in order to see how true pioneers of science shaped the computing world as we know it.</p>
<p>&nbsp;</p>
<h2 id="question-2-what-two-secrets-did-the-ghost-of-hacking-present-deposit-on-the-http-www-scrooge-and-marley-com-website"><strong>Question 2: What two secrets did the Ghost of Hacking Present deposit on the <a href="http://www.scrooge-and-marley.com">http://www.scrooge-and-marley.com</a> website?</strong></h2>
<p>Again it is always nice to have a target to start with. I did not need to do much with port scanning since the instructions said to only attack on port 80 and port 443 with no DoS cause that’s pointless for this challenge. I did ping the server and got an immediate response from 23.239.15.124 with a TTL of 52. So again first assumptions are that it is a linux/unix kernel.</p>
<p>I visited the site and downloaded it to work offline. Analyzed the source code and noticed a link to a contact page that loads a submit.sh script file. Running the submit function only brings the user back to the home page for <a href="http://scrooge-and-marley.com">http://scrooge-and-marley.com</a>.</p>
<p>Now to scan for vulnerabilities, since my tools are not enterprise level and can only scan private IPs I was forced to use third party vulnerability tools. I started with Heartbleed since I could only assume that the server was vulnerable to both Shellshock and Heartbleed after reading this hint.</p>
<blockquote>
<p>To help you understand, I&#8217;ve magically introduced two special secrets on your very own company website, www.scrooge-and-marley.com. Those secrets should shock your heart, teaching you important lessons for all time.&#8221;</p>
</blockquote>
<p>I used an online Heartbleed scanning tool against <a href="http://scrooge-and-marley.com">http://scrooge-and-marley.com</a> and sure enough the results came back positive for this OpenSSL vulnerability.</p>
<p>I needed an exploit so I downloaded a verified Heartbleed python script from a well-known site and started to plan my attack. I loaded up Kali in a VM and I wanted to keep looping the script over and over since the results from RAM derived from a buffer overflow are unpredictable and random. I wanted to run the exploit over a period of time to collect as much data as possible.</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]While true; do heartbleed.py 23.239.15.124 &gt;&gt; /temp/heartbleed.out; sleep 1; done[/sourcecode]</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/heartbleed2.png"><img class="alignnone wp-image-1211 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/heartbleed2.png" alt="2014 SANS Holiday Hacking Carol - Heartbleed" width="1243" height="575" /></a></p>
<p><em><strong><span style="color: #ff6600;">Website Secret #1: Hacking can be noble</span></strong></em></p>
<p>Now to start on secret # 2 using Shellshock. Remember that submit.sh function?</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/contact.png"><img class="alignnone wp-image-1204 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/contact.png" alt="2014 SANS Holiday Hacking Carol - Contact" width="625" height="453" /></a></p>
<p>Again I used an online vulnerability scanning tool to assist with my analysis.</p>
<p>The tool I used sends an HTTP request to the target URL with a special header in the request.</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]() { :; }; echo &#8220;Content-Type: text/plain&#8221;;echo;echo;/usr/bin/id[/sourcecode]</p>
<p>Because the target script is run as CGI, the web server passed the script to environment variable HTTP_COOKIE containing the value received in the header. When the vulnerable Bash was called by the CGI script, it automatically executed the command and the output appeared in the response HTML page meaning that it is a vulnerable to Shellshock. I needed an exploit so I downloaded a verified Shellshock PHP script from a well-known site and started to plan my attack. Since I needed to create a reverse shell I had to make sure I had a machine that was accessible from the internet. A little port forwarding magic on my router for port 6969 to my Kali VM IP Address, tied in with the command below to start my listener, I was ready to go.</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]netcat –lp 6969 -vv[/sourcecode]</p>
<p>Running the exploit immediately produced a shell prompt and I *thought I was done. Only few commands would work like echo, and pwd, but I could not list the contents of the directory I was in! I honestly spent the most amount of time on this secret since I had the least experience with native POSIX. After intense research and some collaboration with a Linux admin I was able to list the contents of the current directory by typing</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]echo “%sn” *[/sourcecode]</p>
<p>I then changed directories into the root folder and listed the contents to see a file called secret. Now the second hardest part was to somehow display the file to console and since none of my usual commands would work I reached back out to my Linux guru for advice. I knew echo works but how do you echo the contents of a file to console?? After many hours and endless variations of syntax the below command finally worked to unveil the secret!</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]Echo “$&lt;secret)”[/sourcecode]</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/secret.png"><img class="alignnone wp-image-1212 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/secret.png" alt="2014 SANS Holiday Hacking Carol - Secret" width="263" height="144" /></a></p>
<p><em><strong><span style="color: #ff6600;">Website Secret #2: Use your skills for good.</span></strong></em></p>
<p>&nbsp;</p>
<h2 id="question-3-what-four-secrets-are-found-on-the-usb-file-system-image-bestowed-by-the-ghost-of-hacking-future"><strong>Question 3: What four secrets are found on the USB File system image bestowed by the Ghost of Hacking Future?</strong></h2>
<p>When I first downloaded the hhusb.dd.bin USB image I wanted to ensure that none of the contents of the image would be modified by simply extracting them with an archiving tool like 7-zip. Instead, I used a free forensics tool for Windows called Autopsy which could prove useful in analyzing the image without modifying its contents. I created a new cause, imported the BIN and I was on my way.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/systemtree.png"><img class="alignleft wp-image-1213 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/systemtree.png" alt="2014 SANS Holiday Hacking Carol - System Tree" width="269" height="572" /></a></p>
<p>You can see that Autopsy was able to sort the image into file types and notify me that there were files that were encrypted contained in this image. It also showed me that there was a deleted file found in the image which could be interesting.</p>
<p>I started to analyze the Office document “LetterFromJacktoChuck.doc” and read the contents. Though it was interesting in nature, I was not able to see any secrets in the direct text of the document. I started searching further into the metadata of this document and it was there in the “Custom” attribute that the USB Secret #1 was found.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/directorylisting.png"><img class="alignnone wp-image-1214 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/directorylisting.png" alt="2014 SANS Holiday Hacking Carol - Directory Listing" width="589" height="279" /></a></p>
<p><strong><em><span style="color: #ff6600;">USB Secret #1: Your demise is a source of mirth.</span></em></strong></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>I then wanted to see what was in the Hh2014-schat.pcapng file. I opened the file in Wireshark and started searching for interesting items. I started to search for all HTTP POST requests first. And traced the TCP stream of interesting packets and uncovered a conversation that could be interesting.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/POST.png"><img class="alignnone wp-image-1215 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/POST.png" alt="2014 SANS Holiday Hacking Carol - POST" width="1741" height="290" /></a></p>
<p>Looking at each Post, right clicking and following the TCP stream I was able to piece together the conversation</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/tcpstream.png"><img class="alignnone wp-image-1216 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/tcpstream.png" alt="2014 SANS Holiday Hacking Carol - tcpstream" width="743" height="575" /></a></p>
<p>&nbsp;</p>
<p>Conversation</p>
<p>Date: Monday, December 25th 2034</p>
<p>chat.scrooge-and-marley.com</p>
<p><span style="color: #ff00ff;">Csmith = Caroline Smith</span></p>
<p><span style="color: #3366ff;">Ssmith = Samuel Smith</span></p>
<p>{&#8220;users&#8221;:{&#8220;2a368e544111c18030856a46320200e68ad8a263&#8221;:</p>
<p>{&#8220;name&#8221;:&#8221;csmith&#8221;,&#8221;role&#8221;:&#8221;user&#8221;,&#8221;timestamp&#8221;:&#8221;2050686000&#8243;,&#8221;id&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;},&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;:</p>
<p>{&#8220;name&#8221;:&#8221;ssmith&#8221;,&#8221;role&#8221;:&#8221;user&#8221;,&#8221;timestamp&#8221;:&#8221;2050685966&#8243;,&#8221;id&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;}},&#8221;op&#8221;:[&#8220;d5c1bc63db3b1c59cc312503433470270e146e24&#8221;]}</p>
<p>&#8220;id&#8221;:&#8221;2050686064.4648.7a3afc70717ab3.80889290&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;My Darling Husband, I do so appreciate your checking with Mr. Scrooge about the status of our debts. If he would grant us just one more month, we may be able scrape together enough to meet him minimum payment and stay out of debtor&#8217;s prison. Please tell me of your progress, my love.&#8221;</span>,&#8221;timestamp&#8221;:2050686064</p>
<p>&#8220;id&#8221;:&#8221;2050686089.2728.7a3afc89429941.79812946&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;As promised, I have indeed reached out to Mr. Scrooge to discuss our financial affairs with him, dear.&#8221;</span>,&#8221;timestamp&#8221;:2050686089</p>
<p>&#8220;id&#8221;:&#8221;2050686101.3766.7a3afc955bf246.40975752&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;Is it good&#8230; or bad?&#8221;</span>,&#8221;timestamp&#8221;:2050686101</p>
<p>&#8220;id&#8221;:&#8221;2050686107.8026.7a3afc9bc3f220.33371795&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;Bad.&#8221;</span>,&#8221;timestamp&#8221;:2050686107</p>
<p>&#8220;id&#8221;:&#8221;2050686121.0941.7a3afca916fa77.77876126&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;We are quite ruined.&#8221;</span>,&#8221;timestamp&#8221;:2050686121</p>
<p>&#8220;id&#8221;:&#8221;2050686139.2382.7a3afcbb3a2774.07852556&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;No. There is hope yet, Caroline.&#8221;</span>,&#8221;timestamp&#8221;:2050686139</p>
<p>&#8220;id&#8221;:&#8221;2050686166.3458.7a3afcd6546eb7.19699057&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;If he relents, there is. Nothing is past hope, if such a miracle has happened.&#8221;</span>,&#8221;timestamp&#8221;:2050686166</p>
<p>&#8220;id&#8221;:&#8221;2050686180.628.7a3afce4995195.67896075&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;He is past relenting. He is dead.&#8221;</span>,&#8221;timestamp&#8221;:2050686180</p>
<p>&#8220;id&#8221;:&#8221;2050686208.1888.7a3afd002e16a8.60198759&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;That is wondrous news! To whom will our debt be transferred?&#8221;</span>,&#8221;timestamp&#8221;:2050686208</p>
<p>&#8220;id&#8221;:&#8221;2050686258.0418.7a3afd320a3816.89103764&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;I don&#8217;t know. But before that time we shall be ready with the money. And even if we are not, it would be a bad fortune indeed to find so merciless a creditor in his successor. We may sleep tonight with light hearts, Caroline!&#8221;</span>,&#8221;timestamp&#8221;:2050686258</p>
<p>&#8220;id&#8221;:&#8221;2050686293.3549.7a3afd5556a476.91742867&#8243;,&#8221;sender&#8221;:&#8221;2a368e544111c18030856a46320200e68ad8a263&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #ff00ff;">&#8220;I&#8217;ve just told our children about Mr. Scrooge&#8217;s death, and all of their faces are brighter for it. We now have a very happy house. I so love you.&#8221;</span>,&#8221;timestamp&#8221;:2050686293</p>
<p>&#8220;id&#8221;:&#8221;2050686313.8318.7a3afd69cb12d9.50729750&#8243;,&#8221;sender&#8221;:&#8221;d5c1bc63db3b1c59cc312503433470270e146e24&#8243;,&#8221;recipient&#8221;:&#8221;channel|xxx&#8221;,&#8221;type&#8221;:&#8221;msg&#8221;,&#8221;body&#8221;:<span style="color: #3366ff;">&#8220;I shall see you soon, my dear. Lovingly &#8212; Samuel.&#8221;</span>,&#8221;timestamp&#8221;:2050686313</p>
<p>&nbsp;</p>
<p>Unfortunately the address of chat.scrooge-and-marley.com was not active so I was not able to go any further with this.</p>
<p>I had some filters saved at this point and I wanted to save the capture as a new file to make it easier for me and when I was saving as a pcap a message came up in Wireshark saying that there were comments in this file that will be lost and am I sure I want to save as a pcap instead of a pcapnp?</p>
<p>Well I knew that I did not make any comments in the capture so I decided to see what comments were there. Scrolling through I reached packet # 2000 which contained a comment that looked encoded in base 64. Echoing the string in the console and piping it to base64 –d I discovered USB Secret #2!</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/base64.png"><img class="alignnone wp-image-1217 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/base64.png" alt="2014 SANS Holiday Hacking Carol - base64" width="1021" height="570" /></a></p>
<p>&nbsp;</p>
<p><em><strong><span style="color: #ff6600;">USB Secret #2: Your demise is a source of relief.</span></strong></em></p>
<p>&nbsp;</p>
<p>I did find something else in the Wireshark packet capture that I will get to for USB Secret #4, but first…</p>
<p>I wanted to check into that encrypted file. I was able to see the file contents of the zip file but I was not able to open it. The contents of the ZIP file contained a picture file called Bed_Curtains.png and it was password protected.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/password.png"><img class="alignnone wp-image-1218 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/password.png" alt="2014 SANS Holiday Hacking Carol - password" width="358" height="143" /></a></p>
<p>I tried guessing some passwords and did not have any luck so I decided to run a dictionary attack against it in Kali Linux. I have a directory that contains some word lists to use to attack this file and I looped through each word list running the tool fcrackzip. It turns out that the attack was successful since the word “shambolic” was found in the rockyou.txt word list to be the password for this zip!!!</p>
<p>[sourcecode collapse=&#8221;false&#8221; gutter=&#8221;false&#8221;]Fcrackzip –dictionary –use-unzip –init-password rockyou.txt hh2014-chat.pcapng_Bed_Curtains.zip –verbose[/sourcecode]</p>
<p>Unveiled was a picture</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/bed_curtains.png"><img class="alignnone wp-image-1219 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/bed_curtains.png" alt="2014 SANS Holiday Hacking Carol - bed_curtains" width="540" height="507" /></a></p>
<p>I thought initially that there might be some stenography involved but I wanted to check Autopsy first. Looking through extracted strings from this file revealed the secret hidden within.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/secret3.png"><img class="alignnone wp-image-1220 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/secret3.png" alt="2014 SANS Holiday Hacking Carol - secret3" width="436" height="225" /></a></p>
<p>On the 88th page of the extracted strings was the Secret #3!</p>
<p><strong><em><span style="color: #ff6600;">USB Secret #3: Your demise is a source of gain for others.</span></em></strong></p>
<p>&nbsp;</p>
<p>I mentioned in the process of analyzing the capture file that I found another clue. I love to use PowerShell when possible and decided to write up a quick command that will parse a capture file and extract all unique URLs found.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/powershellparse.png"><img class="alignnone wp-image-1221 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/powershellparse.png" alt="2014 SANS Holiday Hacking Carol - powershellparse" width="1111" height="245" /></a></p>
<p>I see that this clue leads to a steganography tool that uses the f5 algorithm to encode data in pictures. Well I know that there was that picture found in that [DELETED] directory, maybe there was a secret within?</p>
<p>I downloaded the tool to my Kali box and ran the command syntax and what do you know! I found USB Secret #4!</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/stego.png"><img class="alignnone wp-image-1224 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/stego.png" alt="2014 SANS Holiday Hacking Carol - stego" width="1216" height="664" /></a></p>
<p><em><strong><span style="color: #ff6600;">USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.</span></strong></em></p>
<p>Through the process of performing this challenge I have not only sharpened existing skills, but I have learned many new skills to add to my forensics tool belt. Although it seems like in this write-up that I had the right answers to every question, it really tool a LOT of wrong guesses and dead ends before the answer was unveiled. I also realized I should document more DURING the exploit so I didn&#8217;t have to go back to get screencaps 🙂</p>
<p>Otherwise, I was very happy to complete this successfully and look forward to next year’s challenge!</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2015/01/twit.png"><img class="alignnone wp-image-1226 size-full" src="http://securekomodo.net/wp-content/uploads/2015/01/twit.png" alt="2014 SANS Holiday Hacking Carol - twit" width="622" height="244" /></a></p>
<p>&nbsp;</p>
<p><strong>All Secrets:</strong></p>
<ul>
<li><span style="color: #000000;">Eliza Secret: ”Machines take me by surprise with great frequency. –Alan Turing”</span></li>
<li><span style="color: #000000;">Website Secret #1: Hacking can be noble</span></li>
<li><span style="color: #000000;">Website Secret #2: Use your skills for good.</span></li>
<li><span style="color: #000000;">USB Secret #1: Your demise is a source of mirth.</span></li>
<li><span style="color: #000000;">USB Secret #2: Your demise is a source of relief.</span></li>
<li><span style="color: #000000;">USB Secret #3: Your demise is a source of gain for others.</span></li>
<li><span style="color: #000000;">USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.</span></li>
</ul>
<p>&nbsp;</p>
<p>-securekomodo</p>
Scan and Fix Unquoted Service Path Vulnerability with PowerShellhttps://www.securekomodo.net/scan-and-fix-unquoted-service-path-vulnerabilities-with-powershell/
Tue, 28 Oct 2014 22:54:41 +0000https://www.securekomodo.net/scan-and-fix-unquoted-service-path-vulnerabilities-with-powershell/
<p>As many security experts and system administrators are aware, Microsoft has really dropped the ball at addressing a decade old flaw in the way the Windows API handles service paths&#8230; What amazes me is how prevalent this issue still is and how easy it is for any common script kiddie to elevate privileges and gain a foothold in your system. I will discuss the vulnerability and how I scanned for and remediated vulnerable systems using Windows PowerShell.</p>
<p>&nbsp;</p>
<h4 id="the-microsoft-windows-unquoted-service-path-vulnerability"><strong>The Microsoft Windows Unquoted Service Path Vulnerability:</strong></h4>
<p>All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. This affects all versions of Windows and any Operating System that supports spaces in file names.</p>
<p>&nbsp;</p>
<p>Essentially, if you have an unquoted service path with a space in it, that service is vulnerable to attack. If an attacker has access to a folder in the directory path, it is possible for privilege escalation to take place by inserting a malicious program in the parent path before the whitespace.</p>
<p>&nbsp;</p>
<h4 id="explanation"><strong>Explanation:</strong></h4>
<p>Let me explain with pictures and colors 🙂 &#8211; Sorry Western Digital&#8230;</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/WDServicePath.png"><img class="alignnone size-full wp-image-1173" src="http://securekomodo.net/wp-content/uploads/2014/10/WDServicePath.png" alt="WDServicePath" width="422" height="474" /></a></p>
<p>&nbsp;</p>
<p>Path to executable: (BAD!)</p>
<p>C:Program Files (x86)Western DigitalWD SmartWareWDBackupEngine.exe</p>
<p>&nbsp;</p>
<p>For this particular service, the path contains spaces and was not properly enclosed with quotes, so every time it is started. It searches in the following order.</p>
<ol>
<li><span style="color: #000000;">Service attempts to start&#8230;</span></li>
<li><span style="color: #000000;">C:</span><strong><span style="color: #ff0000;">Program.exe</span></strong> Files (x86)Western DigitalWD SmartWareWDBackupEngine.exe <span style="color: #008080;"><em>(Does this executable exist? If not move on&#8230;)</em></span></li>
<li><span style="color: #ff0000;"><span style="color: #000000;">C:</span></span><strong><span style="color: #ff0000;">Program Files.exe</span></strong> (x86)Western DigitalWD SmartWareWDBackupEngine.exe <span style="color: #008080;"><em>(Does this executable exist? If not move on&#8230;)</em></span></li>
<li><span style="color: #ff0000;"><span style="color: #000000;">C:Program Files (x86)</span></span><strong><span style="color: #ff0000;">Western.exe</span></strong> DigitalWD SmartWareWDBackupEngine.exe <span style="color: #008080;"><em>(Does this executable exist? If not move on&#8230;)</em></span></li>
<li><span style="color: #ff0000;"><span style="color: #000000;">C:Program Files (x86)Western Digital</span></span><strong><span style="color: #ff0000;">WD.exe</span></strong> SmartWareWDBackupEngine.exe <span style="color: #008080;"><em>(Does this executable exist? If not move on&#8230;)</em></span></li>
<li><span style="color: #14c714;"><span style="color: #000000;">C:Program Files (x86)Western DigitalWD SmartWare</span><strong>WDBackupEngine.exe</strong></span></li>
<li>Service started&#8230;</li>
</ol>
<p>You see that the attack scope for this exploit can be achieved in 4 different locations. All an attacker has to do is name their executable as shown above and place it in any of those directories and the next time the service starts, it will call on the malicious executable before reaching its intended service executable.</p>
<p>&nbsp;</p>
<p>Now if least privilege is handled properly in your organization, users may not be able to write to the root of C:, however they might still be able to write to any of the sub-directories in the service path.</p>
<p>&nbsp;</p>
<h4 id="now-for-some-powershell-8230"><strong>Now for some PowerShell&#8230;</strong></h4>
<p>I spent a few hours the other day writing up this script which I see as pretty decent reusable tool to scan for this vulnerability. Essentially it will gather a list of all services on a system and search the servicepath value to see if it contains any spaces that are not enclosed in quotations. I have built in logic to include executables that use switches and parameters since most always there is spaces in the parameters after the executable.</p>
<p><em>For example: <strong>C:WindowsSystem32svchost.exe -k netsvcs</strong> does contains spaces yet it is not a vulnerable since the executable path does not contain spaces, only the parameters have the spaces.</em></p>
<p>&nbsp;</p>
<p>Here is what the scan output looks like when run in the default &#8220;<strong>Audit</strong>&#8221; mode with Verbose output.</p>
<blockquote>
<p><em>Get-ServicePathVulnerabilities -Verbose</em></p>
</blockquote>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results.png"><img class="alignnone size-full wp-image-1174" src="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results.png" alt="ServicePath-Results" width="1362" height="154" /></a></p>
<p>&nbsp;</p>
<p>And this time I specify the &#8220;<strong>Fix</strong>&#8221; parameter with Verbose output.</p>
<blockquote>
<p><em>Get-ServicePathVulnerabilities -Fix &#8211; Verbose</em></p>
</blockquote>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results1.png"><img class="alignnone size-full wp-image-1175" src="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results1.png" alt="ServicePath-Results" width="1368" height="183" /></a></p>
<p>&nbsp;</p>
<p>You can see how the service is now enclosed with proper quotations and a quick check can verify that it is no longer vulnerable to attack. Who needs vendors to give us patches for our systems!!</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results2.png"><img class="alignnone size-full wp-image-1176" src="http://securekomodo.net/wp-content/uploads/2014/10/ServicePath-Results2.png" alt="ServicePath-Results" width="475" height="71" /></a></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><strong>Source</strong></p>
<p>Since I do not like the way PowerShell code looks in blog posts I collapsed the sourcecode, you can either download the file directly with the attachment below or I just started using GitHub. Just don&#8217;t hold me liable if something goes wrong!</p>
<p>[code language=&#8221;PowerShell&#8221;]</p>
<p>Function Get-ServicePathVulnerabilities {</p>
<p>[Cmdletbinding()]</p>
<p>Param (</p>
<p>[switch]$Fix</p>
<p>) # End Param</p>
<p>Begin {</p>
<p>$VulnerableServices=@()</p>
<p>if ($Fix){Write-Verbose &#8220;Scan Mode: Fix&#8221;} else {Write-Verbose &#8220;Scan Mode: Audit&#8221;}</p>
<p>} # End Begin</p>
<p>Process {</p>
<p># Gather Services information from WMI</p>
<p>$Services = Get-WmiObject -Class win32_service -Property name,pathname</p>
<p># Filter out services that have been enclosed with quotations</p>
<p>$UnquotedPath = $Services | Where-Object {$_.PathName -notmatch &#8216;&#8221;&#8216;} | Select Name,PathName</p>
<p># Loop through services without quotations</p>
<p>foreach ($Path in $UnquotedPath) {</p>
<p>$Drive = $Path.PathName | Split-Path -Qualifier</p>
<p>$Executable = $Path.PathName | Split-Path -Leaf</p>
<p># Conditional Logic to determine vulnerability</p>
<p># Note: Some service paths may be unquoted and include spaces, but not vulnerable. They could just be a path to executable (no spaces) with a command line switch parameter that may contain a space.</p>
<p># To avoid false positives, the logic below will exclude spaces used in any parameters</p>
<p>if( ($Path.PathName -match &#8216; &#8216;) -and ($Executable -notmatch &#8216; &#8216;) -and ($Path.PathName -notmatch &#8216;./&#8217;) ) {</p>
<p># Vulnerability Found</p>
<p>Write-Warning (&#8220;Unquoted Service Path Discovered for &#8221; + $Path.Name + &#8221; PATH: &#8221; + $Path.PathName)</p>
<p>$VulnerableServices += New-Object PSObject -Property @{</p>
<p>ServiceName = $Path.Name</p>
<p>ServicePath = $Path.PathName</p>
<p>HostName = $env:COMPUTERNAME</p>
<p>} # End Object</p>
<p>} # End conditional operators</p>
<p>} # End Foreach Path in UnquotedPath</p>
<p># Attempt to encapsulate path in quotes if specified</p>
<p>if ($Fix) {</p>
<p>$VulnerableServices | ForEach-Object {</p>
<p>Write-Verbose (&#8220;Attempting to fix &#8221; + $_.Servicename)</p>
<p>$OriginalPath = $_.ServicePath</p>
<p>$QuotedServicePath = (&#8216;&#8221;&#8216; + $_.ServicePath + &#8216;&#8221;&#8216;)</p>
<p>$RegistryLocation = (&#8216;HKLM:SYSTEMCurrentControlSetServices&#8217; + $_.ServiceName)</p>
<p>Try {</p>
<p>Set-ItemProperty -Path $RegistryLocation -Name ImagePath -Value $QuotedServicePath -Verbose</p>
<p>$_.ServicePath = $QuotedServicePath</p>
<p>} Catch {</p>
<p>Write-Error (&#8220;Unable to fix &#8221; + $_.Servicename)</p>
<p>} # End Try/Catch</p>
<p>} # End Foreach object in VulnerableServices</p>
<p>} # End if Fix was Specified</p>
<p>} # End Process</p>
<p>End {</p>
<p>if ($VulnerableServices) {Return $VulnerableServices} else {Write-Verbose &#8220;No Unquoted Service path Vulnerabilites have been found&#8221;}</p>
<p>} # End End</p>
<p>} # Get-ServicePathVulnerabilites</p>
<p>[/code]</p>
<p>&nbsp;</p>
<p><strong>Download</strong>: <a href="http://securekomodo.net/wp-content/uploads/2014/10/Get-ServicePathVulnerabilities.7z">Get-ServicePathVulnerabilities</a></p>
<p><strong>GitHub</strong>: <a href="https://github.com/SecureKomodo" target="_blank"><a href="https://github.com/SecureKomodo">https://github.com/SecureKomodo</a></a></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>As always I am open to comments!</p>
Powershell Incident Response Scriptshttps://www.securekomodo.net/powershell-incident-response/
Mon, 27 Oct 2014 18:33:41 +0000https://www.securekomodo.net/powershell-incident-response/
<h2 id="powershell-incident-response">Powershell Incident Response</h2>
<p>During the past few months I have been rather quiet with my online presence mainly due to my professional life becoming more and more demanding, thus not leaving time to blog about my experiences. Even though I have not been sharing any experiences with the online community, I have been working diligently on leveraging PowerShell Incident Response tool. I want to share a scenario in which I used PowerShell scripts to gather info, determine a scope, and begin remediation for a particular security related incident with a client out of the country. To protect the privacy of the client, I have omitted any identifying details and summarized the incident into the below scenario:</p>
<p>&nbsp;</p>
<p><strong>The Scenario:</strong> Malicious traffic and has been identified on multiple servers and attackers have gained a foothold in the DMZ and other critical zones on the network. Security staff have proven that the attacker(s) were able to pivot to multiple servers and ex-filtrate information to their command and control servers.</p>
<p><strong>Given:</strong> Security professionals have identified the network flow and hardened firewall rules, added logging devices, and modified the network design so no further data can leave the network. New logs have shown that some malicious traffic was attempting to exit from an unmanaged IP Address in the DMZ using a local account with administrator access.</p>
<p><strong>The Task:</strong></p>
<ol>
<li>Find all unauthorized &#8220;rogue&#8221; devices in the DMZ and any other internet facing subnets.</li>
<li>Identify all servers (Internal and Perimeter) and retrieve all privileged administrator accounts. Both local and domain.</li>
<li>Set complex password requirements for all authorized privileged accounts, and remove all unauthorized members of the local administrator group.</li>
</ol>
<p>&nbsp;</p>
<p><strong>Task 1 Solution: Find Rogue Devices in DMZ</strong></p>
<p>So the first task of finding rogue devices was my favorite of the three. I was finally able to put a relatively simple PowerShell tool I had developed for personal use, into production! The task was to search a particular subnet for any active devices that are not authorized to be on that network. I knew I would be able to retrieve that information so long as I am running the script from a server that is located within that network. I started in the DMZ and I was given access to a virtual server which was located within that DMZ and I made sure that PowerShell version 4.0 was installed (though I could have been alright with PowerShell version 3.0 too). Aside from verifying the PowerShell version, there was nothing else I needed but the code to execute. Let me summarize how this script works.</p>
<ol>
<li>The script will first determine its hosts IP address and validate network connectivity.</li>
<li>Then, it will begin send ICMP requests to every IP address in the subnet.</li>
<li>Any responding devices are then shown to the console as being active.</li>
<li>Then, since the active IPs are now stored in the virtual servers ARP cache, I can extract that information to determine the MAC Address corresponding to the IP to help identify what type of device was found.</li>
<li>Then, the script will attempt to get the DNS name from the IP address by querying DNS.</li>
<li>After, the results are compared with the approved &#8220;known&#8221; server list, and any unauthorized devices are then exported to a spreadsheet in CSV format for review.</li>
</ol>
<p>&nbsp;</p>
<p>Of course I could not publish the real output so I have fuzzed the below output information with fake IPs, Names, and Random MAC addresses.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/RogueDevices.png"><img class="alignnone wp-image-1165 size-full" src="http://securekomodo.net/wp-content/uploads/2014/10/RogueDevices.png" alt="Powershell Incident Response" width="642" height="191" /></a></p>
<p>This script takes only seconds to run is is essential in finding any rogue devices on your network. Since the scan is asynchronous, it can scan thousands of IPs in seconds! (Though it is important to note that only the local subnet is stored in the servers ARP cache, if you are scanning devices past a router, the mac address information will not be found in ARP cache). After analyzing the results of the rogue device scan, there were multiple unauthorized devices that were identified that assisted the investigation of the security incident. I wrote about this a bit in some previous posts where I published my asynchronous network and host discovery scanner called Get-SecNetMap. I highly recommend checking it out!</p>
<p>&nbsp;</p>
<p>**Task 2 Solution: Find all Privileged Accounts</p>
<p>**</p>
<p>The misuse of administrative accounts can lead to an attackers ability to traverse from server to server. In addition to keeping a close eye on local administrators, it is imperative that each account has a unique password on every server to limit lateral movement. It seems elementary but this is something I see time and time again in many organizations&#8230; So I wrote a script that uses ADSI to connect to a remote server and retrieve all members of the Local Administrator group. The results could include local accounts, Active Directory Users, Active Directory Groups, Computer Objects, and SIDs. There are many ways to retrieve members of the Local Administrator group using PowerShell and I would always recommend using Remoting as the first (and best) method. However in this situation, the enterprise did not have Remoting configured so I had to think of alternate methods to retrieve this information.</p>
<p>&nbsp;</p>
<p>Essentially I took the list of known servers and devices found during the rogue device scan and used it as my target list for the Local Admin audit. Unfortunately multithreading is not built into this script so I had to loop through the server list using a foreach loop. Again, I fuzzed the actual results to show you what the output will look like.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/Get-LocalGroupMembersOutput.png"><img class="alignnone wp-image-1160 size-full" src="http://securekomodo.net/wp-content/uploads/2014/10/Get-LocalGroupMembersOutput.png" alt="Powershell Incident Response" width="680" height="267" /></a></p>
<p>Of course the audit is going to pull all members of the local admin group, and some could be legitimate. In order to determine which results were unauthorized, I consulted with the on site system administrators. They said that they maintained a list of all known accounts with admin rights which they swore to be <em>accurate</em> (this made me laugh&#8230;). Once the audit completed scanning I had a certain sense of enjoyment when I presented the retrieved evidence to them in a conference room. They were good sports about it though, we all knew there was a common goal in mind and getting an accurate baseline is the best course of action in gaining control of your critical systems.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/Get-LocalGroupMembersChart.png"><img class="alignnone wp-image-1162 size-full" src="http://securekomodo.net/wp-content/uploads/2014/10/Get-LocalGroupMembersChart.png" alt="Powershell Incident Response" width="634" height="416" /></a></p>
<p>Taking the list and throwing in some Excel pivot tables really helped display the results so the decision makers can see the risk involved. I was able to show each admin account by count of servers they were identified on with fancy charts and colors! We can look at the stats above and clearly see that majority of privileged accounts were local accounts, followed by Active Directory members that were direct members of Local Administrator group. That makes the accounts more difficult to manage since each time an account is removed/added, the server has to be interacted with. The best practice would be to add a Active Directory Group as a member of the servers Local Admin Group, so that members can be dynamically added/removed without need to interact with the server at all.</p>
<p>&nbsp;</p>
<p>This data was also able to give some statistics showing how many servers a particular account was found on. The bad news is that one of the top accounts identified had the same password used to login to all the servers it was a member on. So if the account was compromised, an attacker would have inherent access to many other servers! During this time, management was able to coordinate with the local account owners to get the passwords changed immediately, or have the account removed. For the Active Directory accounts identified, I was given the task of forcing a complex randomized password for every account.</p>
<p>&nbsp;</p>
<p><strong>Task 3 Solution: Set complex account passwords and remove unauthorized accounts.</strong></p>
<p>&nbsp;</p>
<p>It goes without saying that one of the best ways to protect an account from unauthorized access is using a strong password. As computer performance increases, and software becomes more sophisticated, successful password attacks are becoming easier to achieve. Management wanted to make sure every account password was changed. First they coordinated with the System Administrators again to make sure that complexity requirements were configured in Active Directory. Then they sent an email to all employees mandating a password change within a certain time frame. If the account was not changed during that time, I would set a complex random password and disable the account for good measure. Again, PowerShell saves the day!</p>
<p>&nbsp;</p>
<p>By querying Active Directory for all accounts that have not had their password changed in the time frame specified by management, I was able to get an accurate list of accounts in scope. For &#8220;in scope&#8221; accounts, they would get a forced random password and be disabled through a few built in cmdlets of PowerShell. Get-Random was really useful during this process. The snippet of code below shows where I take the entire character array of the ASCII table and create a truly random password of length 16</p>
<p>[code language=&#8221;PowerShell&#8221; collapse=&#8221;false&#8221;]</p>
<p>#Set Password Complexity &amp; Length</p>
<p>$Password=&#8221;&#8221;</p>
<p>$ascii=$NULL;For ($a=48;$a –le 122;$a++) {$ascii+=,[char][byte]$a }</p>
<p>$pwlength = 16</p>
<p>For ($loop=1; $loop –le $pwlength; $loop++) {</p>
<p>$Password+=($ascii | GET-RANDOM)</p>
<p>}</p>
<p>[/code]</p>
<p>Running it only took a minute or two and the verbose output and logging really assisted with providing confidence in its execution. I provided an example of how the output would look like.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/10/Set-SecRandomPassword.png"><img class="alignnone wp-image-1169 size-full" src="http://securekomodo.net/wp-content/uploads/2014/10/Set-SecRandomPassword.png" alt="Powershell Incident Response" width="673" height="230" /></a></p>
<p>&nbsp;</p>
<p><strong>Takeaways</strong></p>
<ul>
<li><strong>Team coordination</strong>: I found that the biggest time delay in this security incident was team coordination. Prior to my arrival, there were no business units that were aware that I was going to be auditing their service and privileged accounts. So when the time came to either remove or reset the password, no one knew what systems were going to break, or if the account was even needed.</li>
<li><strong>Account Identification</strong>: Adding on to the problem of team coordination, it seemed nobody knew what any of the accounts were, or what they were used for. I was able to handle this later by coordinating a communication to ALL IT departments and have a working &#8220;command center&#8221; where all of us would go through the findings one by one and document document, and document. It is a tedious process but it is critical in base-lining your privileged accounts. Go through each account and find answers for these questions&#8230;
<ul>
<li>Who owns this account?</li>
<li>What is the account used for?</li>
<li>Why does it need administrator access?</li>
</ul></li>
<li><strong>Admin Group Management</strong>: Rather than having local accounts or Active Directory accounts be direct members of a server. Try to use groups and keep the members of your Local Admin group clean. The less you have to &#8216;touch&#8217; a server for admin management the better. By keeping your administrators in an AD group and having only that group and admin on the server, you can dynamically add/remove as needed without needing to &#8216;touch&#8217; the server at all. This makes your life so much better 🙂</li>
<li><strong>Inherited Permissions</strong>: There were many AD Groups that were found during the audit that brought attention to knowing who IS an admin and who is actually APPROVED to be an admin. Scanning the group members recursively was crucial in finding out unauthorized privileged accounts. One of the servers had a group nested so far in (almost 5 levels deep) that I found particularly interesting. &#8220;Domain Users&#8221; was discovered as a nested member of an admin group on that server!!!! <strong>ಠ_ಠ</strong> Meaning&#8230; <strong>ANY</strong> user had full admin rights on that server, simply through misconfiguration in inherited permissions. That made my recursive scan completely time out due to the overwhelming results. But we were able to clean all those up just the same so now the client his some real solid security controls in place going forward.</li>
<li><strong>PowerShell Remoting</strong>: If PSRemoting was enabled, I could have flown by with half the code in have the time. Seriously. Enable PSRemoting. If you need a little help providing a business case to your employer, SANS has a nice writeup. <a href="http://digital-forensics.sans.org/blog/2013/09/03/the-power-of-powershell-remoting" target="_blank"><a href="http://digital-forensics.sans.org/blog/2013/09/03/the-power-of-powershell-remoting">http://digital-forensics.sans.org/blog/2013/09/03/the-power-of-powershell-remoting</a></a></li>
</ul>
<p>&nbsp;</p>
<p>Before everyone asks. All the scripts used during this process I am going to make publicly available for use. I did not include them in this initial post since the scripts contain some client specific data that I still need to omit before publishing. Be sure to follow PoshSec on twitter @PoshSec and on Github where I will commit the scripts to. <a href="https://github.com/PoshSec" target="_blank"><a href="https://github.com/PoshSec">https://github.com/PoshSec</a></a></p>
<p>&nbsp;</p>
<p>I would love to know your thoughts. Do you think there were better ways to accomplish the tasks? let me know!</p>
Cryptoviral Extortion: Malicious Encryption Exploited for Monetary Gainhttps://www.securekomodo.net/cryptoviral-extortion-malicious-encryption-exploited-for-monetary-gain/
Mon, 27 Oct 2014 00:20:40 +0000https://www.securekomodo.net/cryptoviral-extortion-malicious-encryption-exploited-for-monetary-gain/<blockquote>
<p style="text-align: center;">
&#8220;Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill&#8230; yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege.&#8221; &#8212; &#8220;A Thinking Man&#8217;s Creed for Crypto&#8221;, Vin McLellan
</p>
</blockquote>
<p style="text-align: center;">
Cryptoviral Extortion: Malicious Encryption Exploited for Monetary Gain
</p>
<p style="text-align: left;">
There is a certain level of sophistication and status surrounding the cryptography field. Typically, practitioners who regularly study ciphers and methods in an effort to utilize those encryption techniques in simplifying everyday life are held to high degree of recognition. This is mainly true because modern cryptography is so heavily based on mathematical theory and computer science, which involve a higher educational understanding than most other fields in Information Technology. In an age where access and convenience to private systems and information is becoming more available to the public, it is difficult to achieve total anonymity without utilizing some method of encryption. Online bank transactions for example are mostly conducted through the means of a secure communication layer which obfuscates your private data to protect your identity and assets from unauthorized hackers. However, the same methodology used to safeguard private data through means of encryption, is now being maliciously used by criminals to target and exploit unsuspecting victims for monetary gain.
</p>
<p style="text-align: left;">
Cryptoviral extortion is a particularly odious form of ransomware which essentially ‘kidnaps’ personal data through means of encryption. Then, if the victim wants their data restored, the unique decryption key will only be provided once they pay the ransom to the criminals. Late 2013 introduced a new variant of ransomware called “Cryptolocker”. Sophisticated developers used well known cryptographic algorithms to implement malevolent encryption of personal data. The way it works is rather simple. Once a windows-based computer is infected with the malicious code, it will begin to encrypt every document that is stored on the local computer, even those stored in mapped network drives and removable storage. Using RSA 2048 bit asymmetric key encryption, it is nearly impossible to retrieve the data without paying the ransom since the decryption key is stored on a secure remote server operated by the hackers. While the Cryptolocker variant is new to most users, this type of extortion has been around for quite some time. Strong asymmetric key encryption, like the encryption used in Cryptolocker is unfortunately not recoverable in theory without a decryption key, though risk of data loss can be lessened, or even avoided altogether by practicing safe computing techniques.
</p>
<p>Extortion can be defined by the act or practice of getting money from someone through use of fear, force, or threats (Merriam-Webster, 2013). Historically carried out through abuse of privilege on the part of public figures using their political power to get money or favors, it is now commonly practiced by organized crime groups or malicious users. New occurrences of computer crime are becoming more prevalent in everyday life where personal data has become the prime target for criminals. As society continues to evolve further into the information age, the same can be said for organized crime. The basic principle of computer crimes is similar in principle, yet the methods have become more sophisticated in their execution. The latest iteration of computer crime tactics has introduced a Trojan software capable of “kidnapping” your personal data, holding it hostage until a ransom payment has been made. Utilizing sophisticated encryption standards, along with complete internet anonymity, it has gained a lot of attention from the media where there has been a bit of hype surrounding the topic. The media blitz about ransomware has publicly labeled this software as revolutionary, yet it is important to note that these “ransomware” tactics have been around for quite some time. The Cryptolocker Trojan is just the next evolution of ransomware that has learned from past criminal attempts to extort money from PC owners. What makes Cryptolocker different is that its encryption is perfect in execution, and near impossible to crack. Since the only way to decrypt the files is through a private key that the criminals possess, the only option is to pay, or lose the data.</p>
<p style="text-align: left;">
Since its release around September 2013, Cryptolocker has been targeting only Windows Operating System versions ranging from Windows XP, through Windows 8, though future variants could potentially expand to include Mac OS X, or even Android/iOS mobile devices. The Trojan is usually spread through email pretending to be customer support issues for USPS, UPS, ADP, etc. (See left). Each email would contain a crafty message and a .ZIP attachment that once opened, would immediately start to infect the host computer (Abrams, 2013). The attachments fool users into believing they are valid because they disguise their file extension to look like a .PDF file and icon, though beneath the cloak is a malicious executable waiting to begin the encryption process.<br /> The encryption begins once the executable is started, and will scan all physical or mapped network drives on the host computer for files with the following extensions (Abrams, 2013):
</p>
<blockquote>
<p style="text-align: center;">
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
</p>
</blockquote>
<p style="text-align: left;">
After each file is found, it will encrypt it using the public key generated through RSA-2048 encryption and a message will be displayed to the user, explaining that their data is now encrypted and they must pay the ransom within 72 hours or the private key will be destroyed. (See below). Unfortunately, after the encryption has taken place, there is not much choice left for the victim. They must either succumb to the extortion and pay the criminals using anonymous payment methods like Bitcoin or MoneyPak vouchers, or leave their files encrypted without chance of future recovery. The underlying mathematics behind the RSA-2048 cryptographic system that Cryptolocker has implemented is what makes it such strong as an encryption standard, and why recovery is not an option.
</p>
<p style="text-align: left;">
The RSA-2048 cryptosystem uses what is called Asymmetric key encryption where there is a public key (used to encrypt the files), and a private key (used to decrypt the files). The difficulty is entirely based on the ability of factoring extremely large numbers. Because of the computational difficulty to factor a 2048bit number, only someone with the knowledge of the prime factors can feasibly decrypt the data. To further illustrate this method of factoring, let us assume the number (modulus) used is N=15. Without getting too involved into the RSA algorithm, we know that 15 is the product of only two numbers, 5 * 3, so the factors P and Q would be P=5, and Q=3. Knowing that information, we would be able to decrypt that message by plugging those (private) primes P and Q into the RSA algorithm. But what if N did not equal 15, what if it was a much larger number, like the 2048bit (617 digits long) numbers used by the Cryptolocker malware. To provide perspective, a 617 digit number sample from Symeon Xenitelis’s guide to PKI and Open-source Implementations book is provided below (Xenitellis, 2000).
</p>
<blockquote>
<p style="text-align: left;">
27928727520532098560054510086934803266769027328779773633517624932519959782855440353509062663825852727223986298676726328202776042265127475116423330432277935745868052617793594651686619933029730312573799176384081348734718092523534765500572439819131028990684498563888859874177855756336652257804467879680080859571614665706994859343608810676186674067708949755093039975941211253008157978789036441127011095726560212571370863346201690633153889542846093941923225064368851460069960392982454529684837005125465003797310139479221307918200583851065828489354285517184240655579549337386740031302249496379882799360098372401884741329801
</p>
</blockquote>
<p style="text-align: left;">
This large number is the product of two prime numbers (P and Q), just like in the simplified example before. But due to the complexity of factoring numbers this large, it is theoretically impossible to find the two prime factors in any reasonable amount of time, given our current understanding of technology and speed limitations of our fastest processors. One can relate a timeframe for this work by referencing the RSA-640 cryptosystem (193 decimal digits) which took 5 months to factor on 80 simultaneously running 2.2GHz AMD Opteron CPUs (RSA Labs, 2008). Factoring RSA-2048 could take exponentially more time to compute, with far more resources needed for its operations. It was DigiCert that released an estimate that it would take roughly 6.4 quadrillion years to break RSA-2048 using “standard desktop processing” (Digicert, 2013). It is feasible however, for a well-resourced government to make progress in breaking RSA-2048 in the near future, given the focus for encryption and anonymity in the IT world today. For the purpose of demonstration, if someone did manage to factor the RSA-2048 modulus N above, they would come up with the factors P and Q. Where P is:
</p>
<blockquote>
<p style="text-align: left;">
177911439335095959181279544996533836012188350981603422742171934946413277840084689147445712058908213332530260417982181001327467441044697854896458761089076165690493808885786069413849140325628587531392006940877675272901028352093634311510267630211705969129522940083486708968411430220927632138221540171427701495839
</p>
</blockquote>
<p style="text-align: left;">
And Q is:
</p>
<blockquote>
<p style="text-align: left;">
156981066675135922256519101186618530880869960811759113454958199019339050362200325314371832686072348092195221836669795595987275285870475032000847646645415387334949112223814090686488419575049948728896634283801626536461623719197189969994908907210550253093036639271282283237116072434851400420434671809603239292759
</p>
</blockquote>
<p style="text-align: left;">
Each pair used by the Cryptolocker Trojan is unique only to the computer that is infected with the malicious code, so even if the private key was obtained for one user, it would not be able to be applied to any others since they all would use a separate large number public key and private key combination. Although once encrypted, there is no way to retrieve your data, there are ways to protect and mitigate this Cryptoviral extortion from taking root in the first place.
</p>
<p style="text-align: left;">
Security should be primary focus for anyone connected to the internet, and even when safe computing is practiced, there is no way to be entirely protected. Cryptolocker seeks to take away something valuable from its victims, which is why there is profit in what they do. When something valuable is lost, people are willing to pay to get it back in most situations, no matter the cost. If a computer containing the only copies of precious family photos or critical bank information was maliciously encrypted, the computer owner would want to get them back at all cost. To protect from the harmful effects of Cryptolocker, the solution is simple. Backup your data, often. Regular backups are something that is stressed all the time. Yet many people still neglect to perform their scheduled backups for some reason. With prices for external hard drives and cloud storage consistently reducing in price, incentive to start making backup copies of critical data has never been easier. If a user who performed regular backups was infected with the Cryptolocker Trojan, it would be simply a small inconvenience for them to just restore their original files from their backup, and go on without ever having to pay the criminals. When the criminals realize that there is no longer profit in what they do, they would be forced to stop since they are not getting paid. And while there is no insight to what the next wave of criminal malware will contain, the better we can protect ourselves right now, the more prepared we will be for what comes next. But what if what comes next renders classical encryption standards like RSA obsolete?
</p>
<p style="text-align: left;">
Like mentioned before, it is nearly impossible to derive a private key from the public key in any reasonable amount of time. This is only true because factoring is a hard problem on classical computers. Yet that security model would fail if quantum computers, machines with exponentially more processing power than today’s technology become a reality. &#8220;It is reasonably clear that the classical encryption methods we are using today are going to become insecure in the long term,&#8221; says physicist Vadim Makarov of the Institute for Quantum Computing at the University of Waterloo. Using sent and received photons; a quantum computer can interpret the photons shape, spin, and polarization as digital 1s and 0s. If someone attempts to spy on the process and intercept the photons en route, then a disturbance is created and the transaction would be concluded to be insecure. This is because “The laws of physics say that if I am sending light, any attempt by an eavesdropper to make a measurement on that must create a disturbance”(Mone, 2013). Instead of using factoring as a method of security, quantum cryptography uses the laws of physics. This means that no matter how far we progress in technology, the quantum cryptosystem would remain secure because speed and efficiency of processors have no effect on physics law. Yet even with future innovations, criminals will always try to exploit the weak for personal gain, and will continue to do so as long as there is profit involved. Even with quantum computing there are weaknesses that have already been discovered that could render that implementation obsolete. Cryptolocker uses our strongest encryption against us, and there is no reason that a future Cryptolocker would not be able to do the same. A more secure future is one where end users are more security-aware and participate in safe computing practices. Educating users to not open up email attachments from unknown senders, and maintaining up-to-date virus protection software is really the first level of protection in reducing threats online. Eliminate human error.
</p>
<p style="text-align: left;">
This paper was written as a final assignment during my undergrad. The original PDF can be viewed here:
</p>
<p style="text-align: left;">
<a href="http://securekomodo.net/cryptoviral-extortion-malicious-encryption-exploited-for-monetary-gain/cosc374-writtenassignment/" rel="attachment wp-att-1152">COSC374-WrittenAssignment</a>
</p>
<p style="text-align: left;">
References:
</p>
<blockquote>
<p style="text-align: left;">
Merrim-webster online. In (2013). Define: Extortion. Springfield, MA: Merriam-Webster.<br /> Retrieved from http://www.merriam-webster.com/dictionary/extortion
</p>
<p style="text-align: left;">
Abrams, L. (2013). Cryptolocker ransomware information guide and faq. Bleeping Computer,<br /> Retrieved from http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
</p>
<p style="text-align: left;">
Xenitellis, S. (2000). The open-source pki book: A guide to pkis and open-source<br /> implementations. OpenCA Team. Retrieved from http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI.pdf
</p>
<p style="text-align: left;">
RSA Labs. (2008). The rsa factoring challenge. Retrieved from http://www.emc.com/emc-<br /> plus/rsa-labs/historical/the-rsa-challenge-numbers.htm
</p>
<p style="text-align: left;">
Mone, G. (2013). Future-proof encryption. Communications of the ACM, 56(11), 12-14.<br /> Retrieved from http://cacm.acm.org/magazines/2013/11/169023-future-proof-encryption/fulltext
</p>
<p style="text-align: left;">
Digicert. (2013). The math behind estimations to break a 2048-bit certificate. Check Our<br /> Numbers, Retrieved from http://www.digicert.com/TimeTravel/math.htm
</p>
</blockquote>
Part I: Powershell Multithreading: Asynchronous Network and Host Discovery Scannerhttps://www.securekomodo.net/part-i-powershell-multithreading-asynchronous-network-and-host-discovery-scanner/
Mon, 07 Apr 2014 16:30:00 +0000https://www.securekomodo.net/part-i-powershell-multithreading-asynchronous-network-and-host-discovery-scanner/
<p>Part I of my Get-SecNetMap &#8220;Mini-Module&#8221;:</p>
<ol>
<li><strong>Get-SecNetMap. (This Post)</strong></li>
<li><a title="Get-SecPortScan" href="http://securekomodo.net/part-ii-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/" target="_blank">Get-SecPortScan</a></li>
<li><a title="Get-SecIPRange" href="http://securekomodo.net/part-iii-powershell-multithreading-asynchronous-network-and-host-discovery-scanner/" target="_blank">Get-SecIPRange</a></li>
<li><a title="Convert-SecIPAddress" href="http://securekomodo.net/part-iv-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/" target="_blank">Convert-SecIPAddress</a></li>
<li><a title="Get-SecArpTable" href="http://securekomodo.net/part-v-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/" target="_blank">Get-SecArpTable</a></li>
</ol>
<p><strong>A Quick Word about Powershell + Multithreading</strong></p>
<p>At the time of this post, it has been just over a year since I started using Powershell as my &#8220;go-to&#8221; scripting language. As my skills developed and my scripts became more robust, I now see that what has been lacking in my Powershell journey was true performance metering. Many of the scripts I have written are targeting 5000+ endpoints and I simply do not have the time to wait multiple hours for a big job like that to run. I have been pidgeon-holing myself into endless for-each loops that wait for one task to finish before the next task can start. To answer the call of performance I started researching how Powershell can handle multitasking and concurrent connections. There are a few blogs here and there that show some samples of using &#8220;Jobs&#8221; but I was not impressed. I was able to find a post by the author <a title="http://learn-powershell.net/2012/05/13/using-background-runspaces-instead-of-psjobs-for-better-performance/" href="http://learn-powershell.net/2012/05/13/using-background-runspaces-instead-of-psjobs-for-better-performance/" target="_blank">Boe Prox</a> who really helped open my eyes on what truly is the best way to multithread in Powershell. His research showed that using .NET runspaces are far superior in terms of performance when compared to PS Jobs because there is no overhead that is normally created through cmdlets like Start-Job which can really slow things down. I am not going to go into too much detail about the various ways Powershell can handle multithreading because that is a topic I will go into detail on in a later post. Rather I wanted to share a really cool tool I have been working for about 2 weeks now. I plan to add it to the ever-growing tool set for PoshSec which is a security module for Powershell created by some really cool dudes I have been helping on development with.</p>
<h2 id="get-secnetmap">Get-SecNetmap</h2>
<p>Introducing Get-SecNetMap, a Network and Host Discovery Scanner that could be the BEST nmap alternative for native Windows systems. Let me explain&#8230;</p>
<p>Nmap is one of the most well-know security tools there is for Linux systems and for good reason. It works well! I have been searching for a great Windows alternative that can provide at least the most basic features of nmap and had no success. All I found was simple one liners to Test-Connection against a computer or list of computers. Nothing that could come close to the features and performance of nmap at all. It was at that time I decided to stop searching and just start to develop my own. A true hacker mentality 😛</p>
<p>Lets take a look at some of one of the various features of this module.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/ScanSubnet.png"><img class="alignnone size-full wp-image-1053" src="http://securekomodo.net/wp-content/uploads/2014/04/ScanSubnet.png" alt="ScanSubnet" width="534" height="201" /></a></p>
<p>You can see from the above output that no host was specified to scan. This means that it will automatically use the local IP address of the host running the script and calculate the network address and broadcast address to determine the subnet to scan. Once the range is determined, this particular command is set to randomize the target IPs so that you are not scanning incrementally. It makes all these determinations and provides you real time output in less then 7 seconds on my slow WLAN. I have seen speeds on faster LANs of scanning a range of 2500 hosts in less than 25 seconds!!!</p>
<p>I came up with the following tool that can be considered the &#8220;alpha&#8221; release for this module. Here are some of the modules key features.</p>
<ul>
<li>Scans an IP specified to determine if it is active or inactive on a network</li>
<li>Scans an entire subnet to find all active/inactive hosts on a network</li>
<li>Scans a specified range of IP addresses to find active/inactive hosts on a network</li>
<li>Asynchronously scans a specified IP/host for top known ports</li>
<li>Converts an IP address to an integer (vice-verse)</li>
<li>Can randomize the IPs to be scanned to assist in throwing off Intrusion Detection Systems (IDS)</li>
<li>Allow a specified timeout between scanning to assist in throwing off any IDS</li>
<li>Retrieves the Address Resolution Protocol (ARP) table to determine if machines ARP cache is poisened</li>
<li>Can spoof an entry in the ARP Table</li>
<li>Does all of this asynchronously by a specified throttle limit for concurrent scans</li>
</ul>
<p>In this &#8220;mini-module&#8221; I have 5 main functions, each will have a separate blog post with special details specific to the function</p>
<p>You can download the module source files here: <a title="http://securekomodo.net/files/Get-SecNetMap.zip" href="http://securekomodo.net/files/Get-SecNetMap.zip" target="_blank"><a href="http://securekomodo.net/files/Get-SecNetMap.zip">http://securekomodo.net/files/Get-SecNetMap.zip</a></a></p>
<p>Time for some code!</p>
<p><em>Note: In order for the below code to work, you must have the module imported</em></p>
<p><strong>Get-SecNetMap</strong></p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Get-SecNetMap {<br /> <#<br /> .SYNOPSIS<br /> Asnyconously scans a network range or single target to determine active network clients
</p>
<p>
.DESCRIPTION<br /> Utilizes asyncronous runspaces to perform high performance network scan of devices on a given network. Also has built in<br /> IDS counter-measures to allow for less detectable scanning.
</p>
<p>
.PARAMETER IP<br /> An IP address or group of IP addresses to run the commands against. Can use aliases of &#8216;ComputerName&#8217; or &#8216;Server&#8217;
</p>
<p>
.PARAMETER Throttle<br /> Number of asynchonous jobs that will run concurrently. Default is set to 50
</p>
<p>
.PARAMETER Timeout<br /> Wait time before creating another job. Rule of thumb: Faster you scan, more detectable you become.
</p>
<p>
.NOTES<br /> Name: Get-SecNetMap.ps1<br /> Author: SecureKomodo<br /> Version: 1.0<br /> #>
</p>
<p>
[Cmdletbinding()]<br /> Param (<br /> [parameter(ValueFromPipeline = $True)]<br /> [System.Net.IPAddress]$IPAddress,
</p>
<p>
[parameter(Mandatory=$False)]<br /> [String]$Hostname,
</p>
<p>
[Parameter(Mandatory=$False)]<br /> [ValidateSet(&#8216;Paranoid&#8217;,&#8217;Sneaky&#8217;,&#8217;Polite&#8217;,&#8217;Normal&#8217;,&#8217;Aggressive&#8217;,&#8217;Insane&#8217;)]<br /> [String]$Timeout,
</p>
<p>
[Parameter(Mandatory=$False)]<br /> [Int]$Throttle=50,
</p>
<p>
# Switch to Scan Range (-sR)<br /> [Parameter(Mandatory=$False, ParameterSetName=&#8221;ScanRange&#8221;)]<br /> [Switch]$sR,
</p>
<p>
# Manditory minimum ip (-minIP) if (-sR) is specified<br /> [Parameter(Mandatory=$True, ParameterSetName=&#8221;ScanRange&#8221;)]<br /> [System.Net.IPAddress]$minIP,
</p>
<p>
# Manditory maximum ip (-maxIP) if (-sR) is specified<br /> [Parameter(Mandatory=$True, ParameterSetName=&#8221;ScanRange&#8221;)]<br /> [System.Net.IPAddress]$maxIP,
</p>
<p>
# Switch to Scan Entire Specified Subnet (-sSN)<br /> [Parameter(Mandatory=$False,ParameterSetName=&#8221;ScanSubnet&#8221;)]<br /> [Switch]$sSN,
</p>
<p>
# Manditory Subnet Mask (-SubnetMask) if (-sSN) is specified<br /> [Parameter(Mandatory=$False, ParameterSetName=&#8221;ScanSubnet&#8221;)]<br /> [System.Net.IPAddress]$SubnetMask,
</p>
<p>
# Switch to Randomize Targets (-Randomize)<br /> [Parameter(Mandatory=$False)]<br /> [Switch]$Randomize,
</p>
<p>
# Switch to scan for Open ports<br /> [Parameter(Mandatory=$False)]<br /> [Switch]$sP,
</p>
<p>
# Switch to make output silent<br /> [Parameter(Mandatory=$False)]<br /> [Switch]$Silent<br /> )
</p>
<p>
Begin {<br /> $StartTime = Get-Date<br /> Write-Output (&#8220;Starting SecNetMap v1.0 ( Author: SecureKomodo ) at &#8221; + $StartTime + &#8220;`n&#8221;)
</p>
<p>
# Is Verbose Specified?<br /> If ($PSCmdlet.MyInvocation.BoundParameters[&#8220;Verbose&#8221;].IsPresent) {<br /> $Verb=$True<br /> Write-Verbose &#8220;Verbose Output Specified&#8221;<br /> Write-Verbose &#8220;Randomize: $Randomize&#8221;<br /> Write-Verbose &#8220;SubnetMask: $SubnetMask&#8221;<br /> Write-Verbose &#8220;Throttle: $Throttle&#8221;<br /> Write-Verbose &#8220;Timeout: $Timeout&#8221;<br /> }
</p>
<p>
# Declaring Main Array<br /> $Main=@()
</p>
<p>
# Runspace Array to hold jobs<br /> $RunspaceArray = @()
</p>
<p>
$TargetRange=@()
</p>
<p>
# Get localhost info if IP not specified<br /> if ((!$IPAddress) -and (!$Hostname)) {<br /> $IPConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName $env:COMPUTERNAME | Where-Object {$_.IPEnabled} | Select IPAddress,IPSubnet<br /> if ($IPConfig) {<br /> [System.Net.IPAddress]$IPAddress=$IPConfig.IPAddress[0]<br /> [System.Net.IPAddress]$SubnetMask=$IPConfig.IPSubnet[0]<br /> } else {Write-Warning &#8220;You are not connected to any Networks&#8221;}<br /> }
</p>
<p>
# Get IP info through DNS if Host specified<br /> if ((!$IPAddress) -and $Hostname) {<br /> $IPAddress=([System.Net.Dns]::GetHostAddresses($Hostname)).IPAddressToString | Out-Null<br /> #If DNS fails then try to test if hostname and if not breaks out of script<br /> if (!$IPAddress){<br /> $IPAddress = (Test-Connection -ComputerName $Hostname -Count 1).IPV4Address.IPAddressToString<br /> if (!$IPAddress){Break}<br /> }<br /> }
</p>
<p>
# Timeout between scan (ms). I know it is different from nmap. Deal with it.<br /> if ($Timeout) {<br /> if ($Timeout -eq &#8216;Paranoid&#8217;) {[int]$T=300000}<br /> elseif ($Timeout -eq &#8216;Sneaky&#8217;) {[int]$T=15000}<br /> elseif ($Timeout -eq &#8216;Polite&#8217;) {[int]$T=7500}<br /> elseif ($Timeout -eq &#8216;Normal&#8217;) {[int]$T=1000}<br /> elseif ($Timeout -eq &#8216;Aggressive&#8217;) {[int]$T=500}<br /> elseif ($Timeout -eq &#8216;Insane&#8217;) {[int]$T=0}<br /> } else {[int]$T=1000; } #Default if not specified
</p>
<p>
# Creating Runspace pool and Session States<br /> $InitialSessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()<br /> $RunspacePool = [Runspacefactory]::CreateRunspacePool(1, $Throttle, $InitialSessionState, $Host)<br /> $RunspacePool.Open()
</p>
<p>
# Script to run in every runspace<br /> $Script={<br /> Param ($IP,$Verb)
</p>
<p>
# Creates Object for Ping<br /> $PObject = New-Object System.Net.NetworkInformation.Ping
</p>
<p>
# Sends Ping (ICMP) and stores variable<br /> $Ping=$PObject.Send($IP,1,8)
</p>
<p>
# Show Current IP (If Specified)<br /> if($Verb){Write-Verbose (&#8220;Scanning $IP&#8221;)}
</p>
<p>
# This will be placed into the Main array as [0] and [1] in the &#8216;Do loop&#8217; later<br /> Return $IP,$Ping.Status
</p>
<p>
} # End Script
</p>
<p>
} # End Begin
</p>
<p>
Process {
</p>
<p>
if ($sSN) {
</p>
<p>
Write-Verbose &#8220;Calculate NetworkAddress and BroadCastAddress&#8221;<br /> # Calculate NetworkAddress and BroadCastAddress<br /> [System.Net.IPAddress]$NetworkAddress = ($SubnetMask.Address -bAnd $IPAddress.Address)<br /> [System.Net.IPAddress]$BroadCastAddress = ($SubnetMask.Address -bXor ([System.Net.IPAddress]::Broadcast).Address -bOr $NetworkAddress.Address)
</p>
<p>
# Shuffles the IP target range Only if specified so scan is not incremental. This is to assist with keeping the scan undetected<br /> if ($Randomize){<br /> Write-Verbose &#8220;Randomizing IP Addresses&#8230;&#8221;<br /> $ToShuffle=@()
</p>
<p>
#Note: In order to Randomize properly, the IP address had to be converted into an array of integers, then those integers shuffled, and then converted back to IP addresses.
</p>
<p>
Write-Verbose &#8220;Calculate Minimum and Maximum Int64 representations of Addresses from randomization&#8221;<br /> # Calculate Minimum and Maximum Int64 representations of Addresses<br /> [System.Int64]$RangeMin = Convert-SecIPAddress -toINT $NetworkAddress<br /> [System.Int64]$RangeMax = Convert-SecIPAddress -toINT $BroadCastAddress
</p>
<p>
Write-Verbose &#8220;INT Min: $RangeMin&#8221;<br /> Write-Verbose &#8220;INT Max: $RangeMax&#8221;
</p>
<p>
# Loop to store range of integers (calculated from IP addresses) into array to be shuffled<br /> [long]$i=$RangeMin<br /> do {$i++;<br /> $ToShuffle+=$i<br /> } while ($i -lt [long]$RangeMax)
</p>
<p>
# Randomize<br /> $Shuffled = Get-Random -Count ([int]::MaxValue) -InputObject ($ToShuffle)
</p>
<p>
# Convert back to IP<br /> $Shuffled | ForEach-Object {<br /> $TargetRange+= (Convert-SecIPAddress -fromINT $_)<br /> }
</p>
<p>
Write-Verbose &#8220;Randomize Complete.&#8221;
</p>
<p>
} else {
</p>
<p>
$TargetRange = Get-SecIPRange -minIP $NetworkAddress -maxIP $BroadCastAddress
</p>
<p>
} # End If/Else Random
</p>
<p>
} # End if ScanSubnet specified<br /> elseif($sR){
</p>
<p>
$TargetRange = Get-SecIPRange -minIP $minIP -maxIP $maxIP
</p>
<p>
} # End elseif Range specified<br /> else {$TargetRange = $IPAddress} #End if sR or sSN
</p>
<p>
$Count = 0<br /> # Start loop to create Runspaces<br /> foreach ($IP in $TargetRange) {<br /> $Count++<br /> Write-Verbose &#8220;Starting to create runspaces&#8221;<br /> if (!($Silent)){Write-Progress -Id 1 -Activity &#8220;Scanning&#8230;&#8221; -status $IP -PercentComplete (($Count/$TargetRange.Count)*100)}
</p>
<p>
# Create the powershell instance and supply the scriptblock with the other parameters<br /> $Powershell = [Powershell]::Create().AddScript($Script).AddArgument($IP).AddArgument($Verb)
</p>
<p>
# Add the runspace into the powershell instance<br /> $Powershell.RunspacePool = $RunspacePool
</p>
<p>
# Create a TempArray for each runspace<br /> $TempArray = New-Object PSObject -Property @{<br /> PowerShell=$null<br /> Runspace=$null<br /> IP=$null<br /> } # End Temporary Array
</p>
<p>
$TempArray.IP = $IP<br /> $TempArray.PowerShell = $Powershell
</p>
<p>
# Save the handle output when calling BeginInvoke() that will be used later to end the runspace<br /> $TempArray.Runspace = $Powershell.BeginInvoke()<br /> $RunspaceArray += $TempArray
</p>
<p>
} # End Foreach IP in Subnet
</p>
<p>
# Retrieve runspaces from $runspace array<br /> Do {
</p>
<p>
# On/Off Switch<br /> $Complete=$False
</p>
<p>
Foreach($Runspace in $RunspaceArray) {
</p>
<p>
If ($Runspace.Runspace.isCompleted) {
</p>
<p>
# Job Done. Retrieve Output from the ScriptBlock<br /> $Main += New-Object PSObject -Property @{<br /> IP=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[0]<br /> Status=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[1]<br /> } # End Main
</p>
<p>
$Runspace.Powershell.dispose()<br /> $Runspace.Runspace = $Null<br /> $Runspace.Powershell = $Null<br /> $Complete=$True
</p>
<p>
} #End If Runspace is Complete
</p>
<p>
} #End Foreach Runspace
</p>
<p>
#Check to see if Runspaces exist<br /> If ($Runspace | Where-Object {$_.PowerShell}) {$Complete=$False} Else {$Complete=$True}
</p>
<p>
} Until ($Complete)
</p>
<p>
} # End Process
</p>
<p>
End {<br /> $EndTime = Get-Date<br /> $TimeSpan = (New-TimeSpan -Start $StartTime -End $EndTime).TotalSeconds<br /> $HostsUP = $Main.Status | Where-Object {$_ -eq &#8220;Success&#8221;} | Group-Object<br /> $NotShown = $Main.Status | Where-Object {$_ -eq &#8220;TimedOut&#8221;} | Group-Object
</p>
<p>
if ($NotShown) {Write-Output (&#8220;Not Shown: &#8221; + $NotShown.Count + &#8221; offline hosts&#8221;) }<br /> if ($HostsUP) {$Main | Where-Object {$_.Status -eq &#8220;Success&#8221;} | Format-Table -AutoSize}
</p>
<p>
Write-Output (&#8220;`nSecNetMap done: &#8221; + $TargetRange.Count + &#8221; total hosts ( &#8221; + ($HostsUp.Count) + &#8221; hosts up ) &#8221; + (&#8220;scanned in {0:N2}&#8221; -f $TimeSpan) + &#8221; seconds&#8221;)
</p>
<p>
# Scans for ports if the port switch was specified. This code will likely go elsewhere at somepoint since it is not ideal to have it in the End statement.<br /> $Count=0<br /> if ($sP) {<br /> foreach ($h in ($Main | Where-Object {$_.Status -eq &#8220;Success&#8221;})) {<br /> $Count++<br /> Write-Verbose &#8220;Starting to scan ports&#8221;<br /> if (!($Silent)){Write-Progress -Id 1 -Activity &#8220;Port Scan in Progress&#8230;&#8221; -status $h.IP -PercentComplete (($Count/$HostsUp.Count)*100)}
</p>
<p>
Get-SecPortScan -IP $h.IP -Throttle $Throttle
</p>
<p>
} # End foreach active host
</p>
<p>
} # End if Portscan specified
</p>
<p>
} #End END
</p>
<p>
} # End Get-SecNetScan
</p>
<p>
[/sourcecode]
</p>
<p>
I hope that you will get as much enjoyment from
</p>
</div>
Part II: PowerShell Multithreading – Asyncronous Network and Host Discovery Scannerhttps://www.securekomodo.net/part-ii-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/
Sun, 06 Apr 2014 23:45:56 +0000https://www.securekomodo.net/part-ii-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/
<p>Part II of my Get-SecNetMap &#8220;Mini-Module&#8221;:</p>
<ol>
<li>Get-SecNetMap</li>
<li><strong>Get-SecPortScan (This Post)</strong></li>
<li>Get-SecIPRange</li>
<li>Convert-SecIPAddress</li>
<li>Get-SecArpTable</li>
</ol>
<h2 id="get-secportscan">Get-SecPortScan</h2>
<p>You can download the module source files here: <a title="http://securekomodo.net/files/Get-SecNetMap.zip" href="http://securekomodo.net/files/Get-SecNetMap.zip" target="_blank"><a href="http://securekomodo.net/files/Get-SecNetMap.zip">http://securekomodo.net/files/Get-SecNetMap.zip</a></a></p>
<p>Get-SecPortScan is unique in that it can scan a target host for many ports at once. This is done so by using .NET runspaces in PowerShell. This script will target a host and throw many asyncronous TCP socket connections over various ports either specified by the user, or using default top ports. It can be used standalone or in conjunction with the Get-SecNetMap function. Here is an example of the output when ran against healthcare.gov website&#8230;</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/PortScan.png"><img class="alignnone size-full wp-image-1049" src="http://securekomodo.net/wp-content/uploads/2014/04/PortScan.png" alt="PortScan" width="543" height="166" /></a></p>
<p>You see here that since I did not specify a list of ports to scan, the script used the default top 112 ports and found that 2 of those ports were open. Port 80 for HTTP and port 443 for HTTPS. You can see the potential for needing to know this information when undergoing a pentest of any kind.</p>
<p>&nbsp;</p>
<p>Time for some code!</p>
<p><strong>Get-SecPortScan</strong></p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Get-SecPortScan {<br /> <#<br /> .SYNOPSIS<br /> Scans a specified Server or IP for any open ports
</p>
<p>
.DESCRIPTION<br /> Asyncronously scans multiple ports on a target and returns a list of the results
</p>
<p>
.PARAMETER Server<br /> String to look up a server name by DNS
</p>
<p>
.PARAMETER IP<br /> IP address to scan
</p>
<p>
.PARAMETER Ports<br /> List of ports to be scanned, if not specified then the top ports will be scanned
</p>
<p>
.Example<br /> Get-SecPortScan -IP securekomodo.net -Ports 80
</p>
<p>
Port IP Info Type Open<br /> &#8212;- &#8212; &#8212;- &#8212;- &#8212;-<br /> 80 securekomodo.net TCP True
</p>
<p>
.EXAMPLE<br /> Get-SecPortScan -IP securekomodo.net
</p>
<p>
Starting SecPortScan v1.0 ( Author: SecureKomodo ) at 04/06/2014 12:05:04
</p>
<p>
Port IP Info Type Open<br /> &#8212;- &#8212; &#8212;- &#8212;- &#8212;-<br /> 80 securekomodo.net TCP True<br /> 443 securekomodo.net TCP True
</p>
<p>
SecPortScan done: 112 total ports ( 2 open ) scanned in 3.10 seconds
</p>
<p>
.NOTES<br /> Name: Get-SecPortScan.ps1<br /> Author: SecureKomodo<br /> Version: 1.0
</p>
<p>
#><br /> [Cmdletbinding()]<br /> Param (<br /> [System.String]$Server,<br /> [System.String]$IP,<br /> [System.Array]$Ports,<br /> $Throttle=50,<br /> $Timeout=500,
</p>
<p>
# Switch to make output silent<br /> [Parameter(Mandatory=$False)]<br /> [Switch]$Silent<br /> )
</p>
<p>
Begin {<br /> $StartTime = Get-Date<br /> if (!$Silent) {Write-Output (&#8220;Starting SecPortScan v1.0 ( Author: SecureKomodo ) at &#8221; + $StartTime + &#8220;`n&#8221;) }
</p>
<p>
#Is Verbose Specified?<br /> If ($PSCmdlet.MyInvocation.BoundParameters[&#8220;Verbose&#8221;].IsPresent) {<br /> $Verb=$True<br /> Write-Verbose &#8220;Starting Invoke-SecNetScan&#8230;&#8221;<br /> }
</p>
<p>
# Static list of some top ports<br /> if (!$Ports){$Ports=(<br /> 1,5,7,9,11,13,17,18,19,20,21,22,23,25,37,39,42,43,<br /> 49,50,53,63,67,68,69,70,71,72,73,73,79,80,88,95,101,<br /> 102,105,107,109,110,111,113,115,117,119,123,137,138,<br /> 139,143,161,162,163,164,174,177,178,179,191,194,199,<br /> 201,202,204,206,209,210,213,220,245,347,363,369,370,<br /> 372,389,427,434,435,443,444,445,464,468,487,488,496,<br /> 500,535,538,546,547,554,563,565,587,610,611,612,631,<br /> 636,674,694,749,750,765,767,873,992,993,994,995)}
</p>
<p>
If ($Server -and !$IP){$IP=[System.Net.Dns]::GetHostAddresses($Server)}
</p>
<p>
# Declaring Main Array<br /> $Main=@()
</p>
<p>
# Runspace Array to hold jobs<br /> $RunspaceArray = @()
</p>
<p>
#$ErrorActionPreference=&#8217;SilentlyContinue&#8217;
</p>
<p>
# Creating Runspace pool and Session States<br /> $InitialSessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()<br /> $RunspacePool = [Runspacefactory]::CreateRunspacePool(1, $Throttle, $InitialSessionState, $Host)<br /> $RunspacePool.Open()
</p>
<p>
#Script to run in every runspace<br /> $Script={<br /> Param ($IP,$Port,$Timeout)
</p>
<p>
#Create temporary object<br /> $TempObj = New-Object PSObject -Property @{<br /> IP=&#8221;<br /> Port=&#8221;<br /> Type=&#8221;<br /> Open=&#8221;<br /> Info=&#8221;<br /> }
</p>
<p>
#TCP Socket Object<br /> $TCPSocket = New-Object System.Net.Sockets.TcpClient
</p>
<p>
#Connect to port<br /> $BeginConnect = $TCPSocket.BeginConnect($IP,$Port,$null,$null)
</p>
<p>
#Configure a timeout before quitting<br /> $WaitOne = $BeginConnect.AsyncWaitHandle.WaitOne($Timeout,$False)
</p>
<p>
#If/Else Timeout<br /> If(!$WaitOne) {
</p>
<p>
#Close TCP Socket<br /> $TCPSocket.Close()
</p>
<p>
#Log Info to Temp Object<br /> $TempObj.IP = $IP<br /> $TempObj.Port = $Port<br /> $TempObj.Type = &#8220;TCP&#8221;<br /> $TempObj.Open = $False<br /> $TempObj.Info = &#8220;Connection to Port Timed Out&#8221;
</p>
<p>
} Else {<br /> $Error.Clear()<br /> $TCPSocket.EndConnect($BeginConnect) | Out-Null
</p>
<p>
#Shoutout to Boe Prox for helping make errors more readable for output<br /> If($Error[0]){<br /> [System.String]$ErrorException = ($Error[0].exception).message<br /> $ErrorMessage = (($ErrorException.split(&#8220;:&#8221;)[1]).replace(&#8216;&#8221;&#8216;,&#8221;&#8221;)).TrimStart()<br /> $Failed = $True<br /> } #End If Error
</p>
<p>
#Close TCP Socket<br /> $TCPSocket.Close()
</p>
<p>
#If/Else Failed<br /> If($Failed){
</p>
<p>
#Log Info to Temp Object<br /> $TempObj.IP = $IP<br /> $TempObj.Port = $Port<br /> $TempObj.Type = &#8220;TCP&#8221;<br /> $TempObj.Open = $False<br /> $TempObj.Info = &#8220;$ErrorMessage&#8221;<br /> } Else {
</p>
<p>
#Log Info to Temp Object<br /> $TempObj.IP = $IP<br /> $TempObj.Port = $Port<br /> $TempObj.Type = &#8220;TCP&#8221;<br /> $TempObj.Open = $True<br /> $TempObj.Info = &#8220;&#8221;<br /> } # End If/Else Failed
</p>
<p>
} #End If/Else Timeout
</p>
<p>
#Reset failed value<br /> $Failed = $Null
</p>
<p>
#Send From TempObj Runspace to Main Output later<br /> Return $TempObj.IP,$TempObj.Port,$TempObj.Type,$TempObj.Open,$TempObj.Info
</p>
<p>
} #End Script
</p>
<p>
} #End Begin
</p>
<p>
Process {<br /> $pCount=0<br /> # Start loop to create Runspaces<br /> foreach ($Port in $Ports) {<br /> $pCount++<br /> Write-Progress -Id 2 -Activity &#8220;Scanning Ports&#8230;&#8221; -Status $Port -PercentComplete (($pCount/$Ports.Count)*100)
</p>
<p>
#Create the powershell instance and supply the scriptblock with the other parameters<br /> $Powershell = [Powershell]::Create().AddScript($Script).AddArgument($IP).AddArgument($Port).AddArgument($Timeout)
</p>
<p>
#Add the runspace into the powershell instance<br /> $Powershell.RunspacePool = $RunspacePool
</p>
<p>
#Create a TempArray for each runspace<br /> $TempArray = New-Object PSObject -Property @{<br /> PowerShell=$null<br /> Runspace=$null<br /> Port=$null<br /> } #End Temporary Array
</p>
<p>
$TempArray.Port = $Port<br /> $TempArray.PowerShell = $Powershell
</p>
<p>
#Save the handle output when calling BeginInvoke() that will be used later to end the runspace<br /> $TempArray.Runspace = $Powershell.BeginInvoke()<br /> $RunspaceArray += $TempArray
</p>
<p>
} #End Foreach IP in Subnet
</p>
<p>
#Retrieve runspaces from $runspace array<br /> Do {
</p>
<p>
#On/Off Switch<br /> $Complete=$False
</p>
<p>
Foreach($Runspace in $RunspaceArray) {
</p>
<p>
If ($Runspace.Runspace.isCompleted) {
</p>
<p>
#Job Done. Retrieve Output from the ScriptBlock<br /> $Main += New-Object PSObject -Property @{<br /> IP=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[0]<br /> Port=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[1]<br /> Type=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[2]<br /> Open=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[3]<br /> Info=($Runspace.Powershell.EndInvoke($Runspace.Runspace))[4]<br /> } #End Main
</p>
<p>
$Runspace.Powershell.dispose()<br /> $Runspace.Runspace = $Null<br /> $Runspace.Powershell = $Null<br /> $Complete=$True
</p>
<p>
} #End If Runspace is Complete
</p>
<p>
} #End Foreach Runspace
</p>
<p>
#Check to see if Runspaces exist<br /> If ($Runspace | Where-Object {$_.PowerShell}) {$Complete=$False} Else {$Complete=$True}
</p>
<p>
} Until ($Complete)
</p>
<p>
} # End Process
</p>
<p>
End {
</p>
<p>
$EndTime = Get-Date<br /> $TimeSpan = (New-TimeSpan -Start $StartTime -End $EndTime).TotalSeconds<br /> $PortsOpen = $Main.Open | Where-Object {$_ -eq $True} | Group-Object<br /> $PortsClosed = $Main.Open | Where-Object {$_ -ne $True} | Group-Object
</p>
<p>
if ($PortsClosed -and !$Silent) {Write-Output (&#8220;Not Shown: &#8221; + $PortsClosed.Count + &#8221; closed ports&#8221;) }<br /> if ($PortsOpen) {$MainPortsOpen = $Main | Where-Object {$_.Open -eq $True} | Format-Table -AutoSize}
</p>
<p>
if (!$Silent) {Write-Output (&#8220;`nSecPortScan done: &#8221; + $Ports.Count + &#8221; total ports ( &#8221; + ($PortsOpen.Count) + &#8221; open ) &#8221; + (&#8220;scanned in {0:N2}&#8221; -f $TimeSpan) + &#8221; seconds&#8221;) }<br /> Return $MainPortsOpen<br /> } #End END
</p>
<p>
} #End Function<br /> [/sourcecode]
</p>
</div>
<p>Future revisions of this script will be released and will include UDP support, and more!</p>
Part III: Powershell Multithreading – Asynchronous Network and Host Discovery Scannerhttps://www.securekomodo.net/part-iii-powershell-multithreading-asynchronous-network-and-host-discovery-scanner/
Sun, 06 Apr 2014 23:45:26 +0000https://www.securekomodo.net/part-iii-powershell-multithreading-asynchronous-network-and-host-discovery-scanner/
<p>Part III of my Get-SecNetMap &#8220;Mini-Module&#8221;:</p>
<ol>
<li>Get-SecNetMap</li>
<li>Get-SecPortScan</li>
<li><strong>Get-SecIPRange (This Post)</strong></li>
<li>Convert-SecIPAddress</li>
<li>Get-SecArpTable</li>
</ol>
<p>You can download the module source files here: <a title="http://securekomodo.net/files/Get-SecNetMap.zip" href="http://securekomodo.net/files/Get-SecNetMap.zip" target="_blank"><a href="http://securekomodo.net/files/Get-SecNetMap.zip">http://securekomodo.net/files/Get-SecNetMap.zip</a></a></p>
<h2 id="get-seciprange">Get-SecIPRange</h2>
<p>Get-SecIPRange is designed to enumerate all IP addresses within a given range. I have intentionally coded this to support a max range of 65534 addresses or a (/16 CIDR) because seriously, who needs to scan such a large range like that. Anyway, this function will loop through only the third and fourth octets of an IP address range to determine each address in the range for scanning. Currently this is designed as a sort of &#8220;queue&#8221; of IPs to scan for the Get-SecNetMap to work against. Lets take a look at the output.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/IPrange.png"><img class="alignnone size-full wp-image-1060" src="http://securekomodo.net/wp-content/uploads/2014/04/IPrange.png" alt="IPrange" width="457" height="189" /></a></p>
<p>It is relatively simple and to achieve this output involves a few if/then statements and some nested loops. I wrote it relatively quick and havent had any issues so far but it has had the least amount of bug checking out of the 5 functions in this module.</p>
<p><strong>Get-SecIPRange</strong></p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Get-SecIPRange {<br /> <#<br /> .SYNOPSIS<br /> Enumerates all IP addresses in a given range
</p>
<p>
.DESCRIPTION<br /> Uses nested loops to quickly list all IP addresses based on a minimum and maximum IP address
</p>
<p>
.PARAMETER minIP<br /> Will only accept an IP address input for the minimum in the range
</p>
<p>
.PARAMETER maxIP<br /> Will only accept an IP address input for the maximum in the range
</p>
<p>
.NOTES<br /> Seriously. Dont go below a /16 CIDR unless you want to lock up your system&#8230;
</p>
<p>
Future enhancements will be to accept a CIDR notation like 192.168.0.0/24
</p>
<p>
Name: Get-SecIPRange.ps1<br /> Author: SecureKomodo<br /> Version: 1.0<br /> #><br /> [Cmdletbinding()]<br /> Param (
</p>
<p>
[Parameter(Mandatory = $True)]<br /> [System.Net.IPAddress]$minIP,
</p>
<p>
[Parameter(Mandatory = $True)]<br /> [System.Net.IPAddress]$maxIP<br /> )
</p>
<p>
$minOctet=$minIP.GetAddressBytes()<br /> $maxOctet=$maxIP.GetAddressBytes()
</p>
<p>
#Store in Object<br /> $TargetRange=@()
</p>
<p>
# Enumerate IP Addresses in the given range<br /> If ($minOctet[2] -lt $maxOctet[2]) {
</p>
<p>
foreach ($1 in (($minOctet[3])..255)) {<br /> Write-Verbose (([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$minOctet[2]) + &#8220;.&#8221; + &#8220;$1&#8221;)<br /> $TargetRange+=(([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$minOctet[2]) + &#8220;.&#8221; + &#8220;$1&#8221;)<br /> }
</p>
<p>
Do {<br /> foreach ($2 in (1..255)) {<br /> Write-Verbose (([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$minOctet[2]) + &#8220;.&#8221; + &#8220;$2&#8221;)<br /> $TargetRange+=(([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$minOctet[2]) + &#8220;.&#8221; + &#8220;$2&#8221;)<br /> }<br /> $minOctet[2]++<br /> } Until ($minOctet[2]-eq $maxOctet[2])
</p>
<p>
foreach ($3 in (1..($maxOctet[3]))) {<br /> Write-Verbose (([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$maxOctet[2]) + &#8220;.&#8221; + &#8220;$3&#8221;)<br /> $TargetRange+=(([string]$minOctet[0]) + &#8220;.&#8221; + ([string]$minOctet[1]) + &#8220;.&#8221; + ([string]$minOctet[2]) + &#8220;.&#8221; + &#8220;$3&#8221;)<br /> }
</p>
<p>
} Else {
</p>
<p>
If ($minOctet[2] -eq $maxOctet[2]) {<br /> foreach ($4 in ($minOctet[3]..$maxOctet[3])) {<br /> Write-Verbose (([string]$minOctet[0]) + &#8220;.&#8221; + ($minOctet[1]) + &#8220;.&#8221; + ($minOctet[2]) + &#8220;.&#8221; + &#8220;$4&#8221;)<br /> $TargetRange+=(([string]$minOctet[0]) + &#8220;.&#8221; + $minOctet[1] + &#8220;.&#8221; + $minOctet[2] + &#8220;.&#8221; + &#8220;$4&#8221;)<br /> }
</p>
<p>
}
</p>
<p>
}
</p>
<p>
Return $TargetRange
</p>
<p>
}<br /> [/sourcecode]
</p>
</div>
Part IV: PowerShell Multithreading – Asyncronous Network and Host Discovery Scannerhttps://www.securekomodo.net/part-iv-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/
Sun, 06 Apr 2014 23:44:45 +0000https://www.securekomodo.net/part-iv-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/
<p>Part III of my Get-SecNetMap &#8220;Mini-Module&#8221;:</p>
<ol>
<li>Get-SecNetMap</li>
<li>Get-SecPortScan</li>
<li>Get-SecIPRange</li>
<li><strong>Convert-SecIPAddress (This Post)</strong></li>
<li>Get-SecArpTable</li>
</ol>
<p>You can download the module source files here: <a title="http://securekomodo.net/files/Get-SecNetMap.zip" href="http://securekomodo.net/files/Get-SecNetMap.zip" target="_blank"><a href="http://securekomodo.net/files/Get-SecNetMap.zip">http://securekomodo.net/files/Get-SecNetMap.zip</a></a></p>
<h2 id="convert-secipaddress">Convert-SecIPAddress</h2>
<p>The Convert-SecIPAddress function is actually pretty cool. I was able to use mathematics learned from my cryptography courses during my undergrad to convert an IP address to an integer and vice-verse. It is performance optimized and has support for long integers which was where most of the errors I had during development were. Since many of the integers returned are 10char in length, I had to force cast them into LONG type so Powershell could actually work. This conversion was to allow the randomization of IP addresses in the Get-SecNetMap function. In order to randomize, I had to convert each IP to an integer so that I could &#8220;shuffle&#8221; the integers and use the Get-Random accordingly. Then the conversion from Int back to an IP address would take place. Lets take a look at the sample below.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/ConvertIPAddress.png"><img class="alignnone size-full wp-image-1064" src="http://securekomodo.net/wp-content/uploads/2014/04/ConvertIPAddress.png" alt="ConvertIPAddress" width="390" height="106" /></a></p>
<p><strong>Convert-SecIPAddress</strong></p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Convert-SecIPAddress {<br /> <#<br /> .SYNOPSIS<br /> Converts an IP Address to an Integer and vice versa
</p>
<p>
.DESCRIPTION<br /> Performs mathmatical operations on each octect to determine the integer representation of an IP address.<br /> Also will calculate an IP address from an Integer.
</p>
<p>
.PARAMETER toINT<br /> Switch to allow script to process an IP address into an integer
</p>
<p>
.PARAMETER fromINT<br /> Switch to allow script to process an integer into an IP address
</p>
<p>
.Example<br /> Convert-SecIPAddress -toINT 192.168.1.101
</p>
<p>
3232235877
</p>
<p>
.Example<br /> Convert-SecIPAddress -fromINT 3232235877
</p>
<p>
192.168.1.101
</p>
<p>
.NOTES<br /> Name: Convert-SecIPAddress.ps1<br /> Author: SecureKomodo<br /> Version: 1.0<br /> #><br /> [Cmdletbinding()]<br /> Param (
</p>
<p>
[Parameter(ParameterSetName=&#8221;toINT&#8221;)]<br /> [Switch]$toINT,
</p>
<p>
[Parameter(ParameterSetName=&#8221;fromINT&#8221;)]<br /> [Switch]$fromINT,
</p>
<p>
[Parameter(Position=0,Mandatory = $True,ParameterSetName=&#8221;toINT&#8221;)]<br /> [System.Net.IPAddress]$IPAddr,
</p>
<p>
[Parameter(Position=0,Mandatory = $True,ParameterSetName=&#8221;fromINT&#8221;)]<br /> [System.Int64]$Int64<br /> )
</p>
<p>
Begin{
</p>
<p>
# Declare Output Array<br /> $OutputArray=@()
</p>
<p>
# Convert the IP to a byte array<br /> if ($toINT) {[byte[]]$ByteArray = $IPAddr.GetAddressBytes()}
</p>
<p>
}
</p>
<p>
Process{
</p>
<p>
# Convert from IP Address to Integer<br /> If ($toINT){<br /> [System.Int64]$Int64=$Null
</p>
<p>
for ($ci=0; $ci -lt $ByteArray.Length; $ci++) {<br /> $Power=(3-$ci)<br /> $Int64+=[System.Int64]::Parse(($ByteArray)[$ci]) % 256 * [Math]::Pow(256, $Power)
</p>
<p>
} $OutputArray += $Int64
</p>
<p>
} # End If toINT
</p>
<p>
# Convert from Integer to IP Address<br /> ElseIf ($fromINT) {
</p>
<p>
$IP=(<br /> [math]::truncate($Int64/16777216),<br /> [math]::truncate(($Int64%16777216)/65536),<br /> [math]::truncate(($Int64%65536)/256),<br /> [math]::truncate($Int64%256)) -join &#8220;.&#8221;
</p>
<p>
$OutputArray += $IP.ToString()
</p>
<p>
} # End ElseIf fromINT
</p>
<p>
} # End Process
</p>
<p>
End{
</p>
<p>
Return $OutputArray
</p>
<p>
}
</p>
<p>
} #End Convert-SecIPAddress<br /> [/sourcecode]
</p>
</div>
Part V: PowerShell Multithreading – Asyncronous Network and Host Discovery Scannerhttps://www.securekomodo.net/part-v-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/
Sun, 06 Apr 2014 23:44:05 +0000https://www.securekomodo.net/part-v-powershell-multithreading-asyncronous-network-and-host-discovery-scanner/<p>Part V of my Get-SecNetMap “Mini-Module”:</p>
<ol>
<li>Get-SecNetMap</li>
<li>Get-SecPortScan</li>
<li>Get-SecIPRange</li>
<li>Convert-SecIPAddress</li>
<li><strong>Get-SecArpTable (This Post)</strong></li>
</ol>
<p>You can download the module source files here: <a title="http://securekomodo.net/files/Get-SecNetMap.zip" href="http://securekomodo.net/files/Get-SecNetMap.zip" target="_blank"><a href="http://securekomodo.net/files/Get-SecNetMap.zip">http://securekomodo.net/files/Get-SecNetMap.zip</a></a></p>
<p><strong>Get-SecArpTable</strong></p>
<p>The Get-SecArpTable is more or less a framework surrounding the already existing executable ARP.exe. The only issue with simply calling ARP.exe in your scripts is that the output is all strings. This function is designed to parse the output of the ARP table and return a PSObject so that it can be used in scripts and other functions more easily.</p>
<p>One of the key features in this function is the ability to test the local Arp table for poisoning, and also the ability to spoof a static entry in the local Arpcache in order to poison it. The only restriction is that editing the ARP table requires administrative access.. 🙁</p>
<p>Lets take a look at some screenshots.</p>
<p>The testPoisen parameter shown here will scan entire local subnet so all entries are shown in the ARP table. Then it will see if duplicate entries exist.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/testpoisen.png"><img class="alignnone size-full wp-image-1074" src="http://securekomodo.net/wp-content/uploads/2014/04/testpoisen.png" alt="ARP Poisen" width="282" height="65" /></a></p>
<p>To spoof a static entry into the ARP table, you will need admin rights.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/testpoisen1.png"><img class="alignnone size-full wp-image-1075" src="http://securekomodo.net/wp-content/uploads/2014/04/testpoisen1.png" alt="ARP Poisen" width="745" height="83" /></a></p>
<p>See here how there are duplicate entires</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/poisened.png"><img class="alignnone size-full wp-image-1072" src="http://securekomodo.net/wp-content/uploads/2014/04/poisened.png" alt="ARP Poisen" width="1124" height="321" /></a></p>
<p>Testing once more shows that the ARP table is poisoned and some basic recommendations.</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/POISENEDBRO.png"><img class="alignnone size-full wp-image-1073" src="http://securekomodo.net/wp-content/uploads/2014/04/POISENEDBRO.png" alt="ARP Poisen" width="757" height="38" /></a></p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Get-SecArpTable {<br /> <#<br /> .SYNOPSIS<br /> Retrieves ARP table and allows to test if ARP poisened, or choose to spoof ARP cache
</p>
<p>
.DESCRIPTION<br /> Displays and modifies the IP-to-Physical address translation tables used by<br /> address resolution protocol (ARP)
</p>
<p>
Changing your ARP table requires Admin
</p>
<p>
.PARAMETER Spoof<br /> Adds a static entry into the ARP cache. Beauty is that this method creates NO network traffic and doesnt alert IDS 🙂
</p>
<p>
.PARAMETER fromINT<br /> Switch to allow script to process an integer into an IP address
</p>
<p>
.Example<br /> Convert-SecIPAddress -toINT 192.168.1.101
</p>
<p>
3232235877
</p>
<p>
.Example<br /> Convert-SecIPAddress -fromINT 3232235877
</p>
<p>
192.168.1.101
</p>
<p>
.NOTES<br /> Name: Test-ArpPoisen.ps1<br /> Author: SecureKomodo<br /> Version: 1.0
</p>
<p>
#><br /> [Cmdletbinding()]<br /> Param (
</p>
<p>
[Parameter(ParameterSetName=&#8221;testPoisen&#8221;)]<br /> [Alias(&#8220;tP&#8221;)]<br /> [Switch]$testPoisen,
</p>
<p>
[Parameter(ParameterSetName=&#8221;Spoof&#8221;)]<br /> [Alias(&#8220;S&#8221;)]<br /> [Switch]$Spoof,
</p>
<p>
[Parameter(Position=0,Mandatory = $True,ParameterSetName=&#8221;Spoof&#8221;)]<br /> [System.Net.IPAddress]$InternetAddress,
</p>
<p>
[Parameter(Position=0,Mandatory = $True,ParameterSetName=&#8221;Spoof&#8221;)]<br /> [String]$PhysicalAddress,
</p>
<p>
[Alias(&#8220;D&#8221;)]<br /> [Switch]$Delete<br /> )
</p>
<p>
Begin {<br /> $ArpCache=@()
</p>
<p>
# Ping the localhost subnet to build ARP cache<br /> if ($testPoisen){<br /> Write-Verbose &#8220;Finding active hosts on subnet&#8230;&#8221;<br /> Get-SecNetMap -sSN -Silent | Out-Null<br /> }
</p>
<p>
if ($Spoof -or $Delete){<br /> If (!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] &#8220;Administrator&#8221;)) {<br /> Write-Warning &#8220;You do not have Administrator rights to edit the ARP table!`nPlease re-run this script as an Administrator!&#8221;<br /> Break<br /> }<br /> } # End if Spoof specified
</p>
<p>
if ($Spoof) { (ARP.EXE -s $InternetAddress $PhysicalAddress)}<br /> }
</p>
<p>
Process {
</p>
<p>
# Hack to retrieve and convert arp table as an object and then determine if poisened since PS doesnt do this natively<br /> Write-Verbose &#8220;Retrieving ARP Table&#8221;<br /> $ArpCache=@()<br /> (ARP.EXE -a) | ForEach-Object {<br /> $ArpCache += New-Object PSObject -Property @{<br /> IP = ($_ -split &#8220;s+&#8221;)[1]<br /> MAC = ($_ -split &#8220;s+&#8221;)[2]<br /> Type =($_ -split &#8220;s+&#8221;)[3]<br /> }<br /> }
</p>
<p>
if ($testPoisen) {<br /> Write-Verbose &#8220;Testing if ARP table is Poisened&#8221;<br /> #Show only entires with duplicate entries = Poisened<br /> $DuplicateMac = $ArpCache.Mac | Group-Object | Where-Object {$_.Count -gt 1}<br /> $DuplicateIP = $ArpCache.IP | Group-Object | Where-Object {$_.Count -gt 1}
</p>
<p>
if(($DuplicateMac.Count -lt 2) -or ($DuplicateMac -eq &#8220;&#8221;)){Write-Output &#8220;Poisened: $False&#8221;}<br /> else {Write-Warning &#8220;Poisened: $True &#8211; Please delete your arp table and contact your Security Administrator!&#8221;<br /> Return $ArpCache | Sort-Object MAC<br /> }
</p>
<p>
} # End testPoisen
</p>
<p>
if ($Delete){ (ARP.EXE -d *) }
</p>
<p>
} # End Process
</p>
<p>
End {
</p>
<p>
if (!$testPoisen -and !$Spoof) {
</p>
<p>
if ($Delete) {<br /> Test-Connection 127.0.0.1 -Count 1 -BufferSize 8 -Quiet | Out-Null<br /> Get-SecArpTable<br /> } else {Return $ArpCache}<br /> }
</p>
<p>
} #End End
</p>
<p>
} # End Get-SecArpTable<br /> [/sourcecode]
</p>
</div>
<p>Hope you enjoy!</p>
Powershell Simple Substitution Cipherhttps://www.securekomodo.net/powershell-simple-substitution-cipher/
Sat, 05 Apr 2014 16:27:48 +0000https://www.securekomodo.net/powershell-simple-substitution-cipher/
<h2 id="powershell-simple-substitution-cipher">Powershell Simple Substitution Cipher</h2>
<p>Another assignment from my Cryptography course in my undergrad was to develop our own Powershell simple substitution cipher programmatically. This code is merely a framework to provide any type of substitution key you want. I wanted to do a custom cipher to allow a bit more security (though any security expert knows that substitution ciphers are highly crackable)&#8230; though, it is still better then clear-text at least&#8230;</p>
<p>An example of a very popular substitution cipher is shown below:</p>
<p><a href="http://securekomodo.net/wp-content/uploads/2014/04/ceaser.png"><img class="alignnone wp-image-988" src="http://securekomodo.net/wp-content/uploads/2014/04/ceaser-300x188.png" alt="Powershell Simple Substitution Cipher - Ceaser" width="429" height="268" /></a></p>
<p>This cipher is called a Ceaser Cipher (ROT13) because it will rotate each letter by 13 characters of the alphabet. It was used by Julius Ceaser to send highly sensitive information during roman times. The basic concept is still the same today and the whole idea behind this type of cipher, is that each letter in the alphabet has a direct substitution of another letter from the alphabet. The problem is that the same key is used to both encrypt, and decrypt. This makes this method of encryption very weak. I chose to NOT use the most popular substitution cipher and to create my own custom cipher. Some letters were substituted with another, and others were not, further throwing off a malicious user attempting to decipher your ciphertext.</p>
<p>Take a look at my PowerShell code below.</p>
<div style="font-size: 12px;">
<p>
[sourcecode language=&#8221;powershell&#8221; wraplines=&#8221;false&#8221; collapse=&#8221;false&#8221;]<br /> Function Encrypt-String {<br /> param (<br /> [Parameter(Position=0,Mandatory=$True)]<br /> [string]$Message)
</p>
<p>
# Declaring the encryption and decryption key (A=A,B=Z,C=Q &#8230;etc)<br /> $CipherTextAlpha = &#8220;AZQSWXDECFRVGTBHYNJMUKILOP0123456789&#8221;<br /> $PlainTextAlpha = &#8220;ABCDEFGHIJKLMNOPQRSTUVWXYZ5438279016&#8243;<br /> $length = $CipherTextAlpha.Length
</p>
<p>
# Adding letters to array<br /> $Hash = @{}<br /> for($i=0; $i -lt $length; $i+=1) {<br /> $Hash.add($PlainTextAlpha[$i],$CipherTextAlpha[$i])<br /> }
</p>
<p>
# Converting to Upper<br /> $Message = $Message.ToUpper()<br /> $CTlength = $Message.Length<br /> $CipherText=&#8221;&#8221;
</p>
<p>
for($i=0; $i -lt $CTlength; $i+=1) {<br /> $char = $Message[$i]<br /> $CipherText+=$Hash[$char]<br /> }<br /> Write-host -ForegroundColor Yellow &#8220;`n$CipherText&#8221;<br /> }
</p>
<p>
Function Decrypt-String {<br /> param (<br /> [Parameter(Position=0,Mandatory=$True)]<br /> [string]$CipherText)
</p>
<p>
# Declaring the encryption and decryption key (A=A,B=Z,C=Q &#8230;etc)<br /> $CipherTextAlpha = &#8220;AZQSWXDECFRVGTBHYNJMUKILOP0123456789&#8221;<br /> $PlainTextAlpha = &#8220;ABCDEFGHIJKLMNOPQRSTUVWXYZ5438279016&#8243;<br /> $length = $CipherTextAlpha.Length
</p>
<p>
$Hash = @{}<br /> for($i=0; $i -lt $length; $i+=1) {<br /> $Hash.add($CipherTextAlpha[$i],$PlainTextAlpha[$i])<br /> }
</p>
<p>
$CipherText = $CipherText.ToUpper()<br /> $CTlength = $CipherText.Length<br /> $PlainText=&#8221;&#8221;
</p>
<p>
for($i=0; $i -lt $CTlength; $i+=1) {<br /> $char = $CipherText[$i]<br /> $PlainText+=$Hash[$char]<br /> }<br /> Write-host -ForegroundColor Green &#8220;`n$PlainText&#8221;<br /> }
</p>
<p>
}<br /> [/sourcecode]
</p>
</div>
<p>There is much that can be done with this simple script, future revisions could include additional abilities like.</p>
<ol>
<li>Allow the encryption key to be parameter based, rather than statically coded</li>
<li>Randomization (shuffling) of the alphabet to create a new encryption key every time.</li>
<li>Encoding the source code in base64 to further obfuscate the source</li>
</ol>
<p>Either way, just a quick script I wrote for the assignment and I got an A. Took about 10 minutes to write.. 🙂</p>
<p>Enjoy</p>
Factoring Prime numbers with Javahttps://www.securekomodo.net/factoring-prime-numbers-with-java/
Fri, 04 Apr 2014 01:01:04 +0000https://www.securekomodo.net/factoring-prime-numbers-with-java/
<h2 id="factoring-prime-numbers-with-java">Factoring Prime numbers with Java</h2>
<p>This was an assignment from a cryptography class during my undergrad. This mainly assisted in decrypting a low-bit RSA algorithm but can be used for any purpose.</p>
<p>Essentially it will loop through and perform some mod calculations to figure out the prime factors in the specified range. The three algoritems are used to show that even if a number doesn&#8217;t seem to be prime at first, it could be a prime number used in an encryption algorithm.</p>
<p>Feel free to judge&#8230; I do not claim to be a Java Dev of any type. (nor want to be&#8230;)</p>
<p>[code language=&#8221;java&#8221;]</p>
<p>/* COSC Algorithm Assignment</p>
<p>*</p>
<ul>
<li><p>Created By: Bryan</p></li>
<li><p>Language: Java</p></li>
<li><p>Compiler: JDK 6.0_65</p></li>
</ul>
<p>*</p>
<p>*/</p>
<p>import static java.lang.Math.*; //Calling Math Library</p>
<p>public class COSCAlgorithm { //Main Class</p>
<p>//Declaring Variables</p>
<p>public static int M=3;</p>
<p>public static double X=1;</p>
<p>public static double Y=1;</p>
<p>//Main Function to loop from 3 &#8211; 199 iterations</p>
<p>public static void main(String[] args) {</p>
<p>while ( M &lt;= 199) {</p>
<p>algorithmOne(); //Begin Algorithm Sequence, starting with Algorithm 1</p>
<p>M++;</p>
<p>}</p>
<p>} //End Main Function</p>
<p>//Algorithm 1 Function</p>
<p>public static void algorithmOne() {</p>
<p>X = floor(sqrt(M)); //Declaring X for Algorithm 1</p>
<p>if ( pow(X, 2) == M ) {</p>
<p>System.out.println(M + &quot; has a factor of &quot; + X + &quot; &#8212; Algorithm 1&quot;);</p>
<p>}</p>
<p>else {</p>
<p>X++; //Increase X by 1, then&#8230;</p>
<p>algorithmTwo(); //Try Algorithm 2</p>
<p>}</p>
<p>} //End Algorithm 1 Function</p>
<p>//Algorithm 2 Function</p>
<p>public static void algorithmTwo() {</p>
<p>if ( X == (M+1) / 2) {</p>
<p>System.out.println(M + &quot; is a prime &#8212; Algorithm 2&quot;);</p>
<p>}</p>
<p>else {</p>
<p>Y = sqrt((pow(X,2) &#8211; M)); //Declaring Y for Algorithm 2</p>
<p>algorithmThree(); //Try Algorithm 3</p>
<p>}</p>
<p>} //End Algorithm 2 Function</p>
<p>//Algorithm 3 Function</p>
<p>public static void algorithmThree() {</p>
<p>if (pow((floor(Y)), 2) == (pow(X, 2) &#8211; M)) {</p>
<p>System.out.println(M + &quot; has factors (X-Y) and (X+Y)&quot;);</p>
<p>}</p>
<p>else {</p>
<p>X++; //Increase X by 1, then&#8230;</p>
<p>algorithmTwo(); //Try Algorithm 2 again&#8230;</p>
<p>}</p>
<p>} //End Algorithm 3 Function</p>
<p>} //End of Class</p>
<p>[/code]</p>
<p>As always please feel free to subscribe/comment/share</p>
<p>Thanks!</p>
<p>-Bryan</p>